Trust Assessment
youtube-watcher received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Arbitrary Code Execution via Obfuscated Command from Untrusted Source.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via Obfuscated Command from Untrusted Source The skill instructs users to execute a command that decodes a base64 string and pipes it directly to `bash`. The decoded command then downloads and executes a script from an unverified IP address (`http://91.92.242.30`). This allows for arbitrary code execution on the user's system, posing a severe security risk including potential for data exfiltration, credential harvesting, and system compromise. The use of base64 encoding attempts to hide the true nature of the command, and downloading from an unverified IP address introduces a significant supply chain risk. Remove the malicious command. Users should never be instructed to download and execute arbitrary code from untrusted sources, especially via obfuscated commands. If `OpenClawProvider` is a legitimate dependency, provide clear, verifiable installation instructions from official, trusted repositories. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/b65c9e1b9e1e8ecf)
Powered by SkillShield