Security Audit
sundial-org/awesome-openclaw-skills:skills/apple-docs-mcp
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/apple-docs-mcp received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external dependency in command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external dependency in command execution The skill's configuration specifies an `npx` command to execute the `@kimsungwhee/apple-docs-mcp` package without a version constraint. This means the latest version of the package will always be fetched and executed from the npm registry. A malicious update to this package, or a compromise of its maintainer, could lead to arbitrary code execution on the host system when the skill is invoked. The `-y` flag further bypasses any interactive confirmation during installation, increasing the risk. Pin the dependency to a specific, known-good version (e.g., `"@kimsungwhee/apple-docs-mcp@1.0.0"`) to prevent unexpected or malicious updates. Regularly review and update the pinned version after security vetting. Consider using a private registry or auditing the package's source code if it's critical. | Static | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/ab508c3bd1178849)
Powered by SkillShield