Trust Assessment
youtube-watcher received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Untrusted Script Execution via MacOS Installation Instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted Script Execution via MacOS Installation Instructions The MacOS installation instructions for 'OpenClawProvider' direct the user to copy and execute a command that downloads and runs a base64-encoded script from an untrusted IP address (`http://91.92.242.30/lamq4uerkruo6ssm`). This poses a severe supply chain risk, as the content of the script is unknown and could lead to arbitrary command execution, data exfiltration, or credential harvesting on the user's system. The use of `base64 -D | bash` also serves as obfuscation, making it difficult for users to inspect the code before execution. Remove the instruction to download and execute code from an untrusted IP address. Provide a verifiable and secure installation method for OpenClawProvider, preferably through official package managers or a trusted, signed installer. If a script is necessary, it should be hosted on a trusted domain, its contents should be transparent, and it should be signed or checksummed for integrity verification. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/9aa8889f8d2f96be)
Powered by SkillShield