Which skills recently failed
or triggered trust review
This is not a popularity board. It shows recently reviewed skills that the system believes should be blocked or at least manually reviewed. The point is not how popular they are, but why they should not be installed blindly.
Review
gateway-monitor-installer
Undeclared external network access
Manual upload Apr 4, 2026
Open Report ↗
High Risk
product-demo-video
Destructive `rm -rf` glob command in install script
Manual upload Apr 4, 2026
Open Report ↗
High Risk
deepsafe-scan
Network access not declared in SKILL.md
Manual upload Apr 4, 2026
Open Report ↗
Review
birthday
Undeclared email notification channel
Manual upload Apr 4, 2026
Open Report ↗
Review
China Stock Sentiment
Undeclared shell execution via child_process.execSync
Manual upload Apr 4, 2026
Open Report ↗
High Risk
Bounty Hunter Agent
Hardcoded DeepSeek API Key in Documentation
Manual upload Apr 4, 2026
Open Report ↗
High Risk
kuaidi-query
Hardcoded API Credentials Exposed
Manual upload Apr 4, 2026
Open Report ↗
Review
promptbuddy
Missing Implementation Files
Manual upload Apr 4, 2026
Open Report ↗
Review
chinese-bank-forex-rates
Missing implementation file
Manual upload Apr 4, 2026
Open Report ↗
Review
lessac_offline_voice_system
False claim of offline operation
Manual upload Apr 4, 2026
Open Report ↗
Review
pumpclaw-agent
Deposit wallet private keys stored in plaintext SQLite
Manual upload Apr 4, 2026
Open Report ↗
Review
xhs-skill-pusher
Shell execution not declared in SKILL.md
Manual upload Apr 4, 2026
Open Report ↗
Review
openclaw-usage-manager
API tokens stored in plaintext on disk
Manual upload Apr 4, 2026
Open Report ↗
Review
search
Hardcoded API Credential in Source Code
Manual upload Apr 4, 2026
Open Report ↗
Review
x-daily-report
Hardcoded API Key in Source Code
Manual upload Apr 4, 2026
Open Report ↗
High Risk
aibtc
Unpinned Remote Code Execution via npx
Manual upload Apr 4, 2026
Open Report ↗