Security Audit
sundial-org/awesome-openclaw-skills:skills/ai-code-review
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/ai-code-review received a trust score of 64/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned external command execution via npx.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned external command execution via npx The skill documentation instructs users to execute `npx ai-code-review`. `npx` by default fetches and executes the latest version of a package from the npm registry. This poses a supply chain risk as a malicious update to the `ai-code-review` package or a typosquat could lead to arbitrary code execution on the user's machine without explicit version review. While this is a user-facing instruction, it represents a risk associated with the skill's recommended usage. Recommend specifying a version for `npx` commands (e.g., `npx ai-code-review@1.0.0`) or providing a mechanism for users to verify the package's integrity before execution. Alternatively, provide the full command to install a specific version globally (e.g., `npm install -g ai-code-review@1.0.0` then `ai-code-review`). | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/a4898be3f583eb01)
Powered by SkillShield