Trust Assessment
xclaw02 received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 3 high, 1 medium, and 0 low severity. Key findings include Prompt Injection via Skill Instructions, Potential Command Injection via User-Controlled Arguments, Excessive Permissions: Arbitrary Package Installation and Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Skill Instructions The skill's `SKILL.md` file, which is treated as untrusted input, contains direct instructions for the host LLM on how to respond to user queries. The 'How to Respond' table explicitly dictates commands the LLM should execute (e.g., `xclaw02 probe <url>`, `xclaw02 pay <url>`) based on user input. This is a direct attempt by the untrusted skill definition to manipulate the LLM's behavior and execute arbitrary commands. Skill definitions should describe capabilities, not dictate LLM behavior. The LLM should decide how to use tools based on its own reasoning, not follow hardcoded instructions from untrusted skill content. Rephrase instructions as tool descriptions or examples, not direct commands. | LLM | SKILL.md:23 | |
| CRITICAL | Excessive Permissions: Arbitrary Package Installation and Execution The skill requires the `pip` and `npx` binaries, and explicitly instructs the agent to use them for installation (`pip install xclaw02`) and execution (`npx xclaw02`). This grants the agent the ability to install and execute arbitrary Python and Node.js packages from public repositories. This level of access is highly excessive and could lead to full system compromise if a malicious package is installed or if the agent is tricked into installing an unintended package. Agents should operate with the principle of least privilege. Avoid granting direct access to package managers like `pip` or `npx`. If external dependencies are required, they should be pre-installed and managed by the skill's environment, not by the agent at runtime. Consider using isolated environments or containerization for skill execution. | LLM | SKILL.md:48 | |
| HIGH | Potential Command Injection via User-Controlled Arguments The skill instructs the agent to construct and execute shell commands using user-provided input, such as `<url>` and `<address>`. For example, `xclaw02 probe <url>` or `xclaw02 wallet balance <address>`. If the `xclaw02` tool does not sufficiently sanitize these inputs, a malicious user could inject shell metacharacters (e.g., `example.com; rm -rf /`) to execute arbitrary commands on the host system. Ensure all user-provided inputs passed to shell commands are rigorously sanitized and escaped. Ideally, use a tool execution framework that handles argument sanitization automatically or passes arguments as a list to prevent shell interpretation. The `xclaw02` tool itself should be robust against command injection. | LLM | SKILL.md:26 | |
| HIGH | Supply Chain Risk: Unpinned Dependencies The skill instructs the agent to install and execute packages without specifying a version (`pip install xclaw02`, `npx xclaw02`). This means the latest version available on PyPI or npm will always be fetched. This introduces a significant supply chain risk: if the `xclaw02` package maintainer's account is compromised, or if a malicious version is published, the agent could unknowingly install and execute compromised code. Always pin dependencies to specific, known-good versions (e.g., `pip install xclaw02==1.2.3`, `npx xclaw02@1.2.3`). Regularly audit and update these pinned versions. Implement package integrity checks (e.g., hash verification) if possible. | LLM | SKILL.md:48 | |
| HIGH | Sensitive Credential Handling (Private Key) The skill explicitly requires and handles a cryptocurrency private key (`XCLAW02_PRIVATE_KEY`) for making payments. While the skill advises using environment variables and not exposing the key, the mere act of an automated agent loading and using such a highly sensitive credential increases the attack surface. A vulnerability in the agent's execution environment, the `xclaw02` tool, or improper logging could lead to the compromise of the private key, resulting in potential loss of funds. Implement robust secrets management practices. Consider using hardware security modules (HSMs) or secure enclave technologies for private key operations. Ensure the agent's execution environment is highly isolated and hardened. Review the `xclaw02` tool's source code for secure handling of private keys. Limit the funds associated with any automated agent's wallet. | LLM | SKILL.md:158 | |
| MEDIUM | Potential Data Exfiltration via Sensitive Command Output The skill instructs the agent to execute commands that produce sensitive financial and transaction-related output, such as wallet balances (`xclaw02 wallet balance`), payment details (`xclaw02 probe`), and transaction hashes (`xclaw02 pay`). If the agent's output is logged, stored, or relayed to an unauthorized party without proper sanitization or access controls, this sensitive information could be exfiltrated. Implement strict output filtering and sanitization for all agent interactions. Ensure that sensitive data like transaction hashes, wallet balances, or private keys are never logged or displayed unless explicitly requested by an authorized user and with appropriate warnings. Consider redacting or masking sensitive information in logs and user-facing outputs. | LLM | SKILL.md:79 |
Scan History
Embed Code
[](https://skillshield.io/report/0a1db5af7e948261)
Powered by SkillShield