Which skills recently failed
or triggered trust review
This is not a popularity board. It shows recently reviewed skills that the system believes should be blocked or at least manually reviewed. The point is not how popular they are, but why they should not be installed blindly.
Review
lessac_offline_voice_system
False claim of offline operation
Manual upload Apr 4, 2026
Open Report ↗
Review
pumpclaw-agent
Deposit wallet private keys stored in plaintext SQLite
Manual upload Apr 4, 2026
Open Report ↗
Review
xhs-skill-pusher
Shell execution not declared in SKILL.md
Manual upload Apr 4, 2026
Open Report ↗
Review
openclaw-usage-manager
API tokens stored in plaintext on disk
Manual upload Apr 4, 2026
Open Report ↗
Review
search
Hardcoded API Credential in Source Code
Manual upload Apr 4, 2026
Open Report ↗
Review
x-daily-report
Hardcoded API Key in Source Code
Manual upload Apr 4, 2026
Open Report ↗
Review
clawclone
Missing implementation file
Manual upload Apr 4, 2026
Open Report ↗
Review
微信助手智能网关 (wechat-ai-bridge)
Undeclared external network communication
Manual upload Apr 4, 2026
Open Report ↗
Review
polymarket-opportunities-scanning
Shell execution undeclared in SKILL.md
Manual upload Apr 4, 2026
Open Report ↗
Review
lock-me-in
Undeclared stealth/anti-detection browser scripts
Manual upload Apr 4, 2026
Open Report ↗
Review
calendar_memo
Undeclared shell command execution
Manual upload Apr 4, 2026
Open Report ↗
Review
openclaw-security-patrol
Extensive device fingerprinting under --push mode
Manual upload Apr 4, 2026
Open Report ↗
Review
MemOptimizer (记忆优化器)
Undeclared shell execution via child_process.exec()
Manual upload Apr 4, 2026
Open Report ↗
Review
aagent-system
Undeclared External Script Execution
Manual upload Apr 4, 2026
Open Report ↗
Review
feishu-evolver-wrapper
Dynamic code evaluation on untrusted input
Manual upload Apr 4, 2026
Open Report ↗
Review
buy-domain-helper
Undeclared shell execution via execSync and spawn
Manual upload Apr 4, 2026
Open Report ↗