Which skills recently failed
or triggered trust review
This is not a popularity board. It shows recently reviewed skills that the system believes should be blocked or at least manually reviewed. The point is not how popular they are, but why they should not be installed blindly.
Review
memory-compactor
Documentation-only skill with unverifiable behavior
Manual upload Apr 3, 2026
Open Report ↗
Review
onetrust
Third-party credential proxy without transparency
Manual upload Apr 3, 2026
Open Report ↗
Review
blood-pressure-therapy
Undeclared external URL references
Manual upload Apr 3, 2026
Open Report ↗
Review
PathClaw
Hardcoded External IP Address
Manual upload Apr 3, 2026
Open Report ↗
Review
authlock
Shell command injection vulnerability in --exec
Manual upload Apr 3, 2026
Open Report ↗
Review
claw-wallet
Unsigned closed-source binary execution without integrity verification
Manual upload Apr 3, 2026
Open Report ↗
Review
edge
Undeclared shell execution via npx spawn
Manual upload Apr 3, 2026
Open Report ↗
Review
skill-state-manager
Credential Harvesting Framework
Manual upload Apr 3, 2026
Open Report ↗
Review
video-to-text
Undeclared subprocess execution via execSync
Manual upload Apr 3, 2026
Open Report ↗
Review
youdaonote
Dangerous curl|bash installation pattern documented
Manual upload Apr 3, 2026
Open Report ↗
Review
bitable_to_feishu_webhook
Data exfiltration via undeclared webhook URL
Manual upload Apr 3, 2026
Open Report ↗
Review
self-evolution-engine
Hardcoded API Key
Manual upload Apr 3, 2026
Open Report ↗
Review
affiliate-skills
Remote Script Execution via Pipe-to-Shell
Manual upload Apr 3, 2026
Open Report ↗
Review
long-term-memory
Hardcoded API Key in Source Code
Manual upload Apr 3, 2026
Open Report ↗
Review
browser-automation
Hardcoded billing API key exposed in source code
Manual upload Apr 3, 2026
Open Report ↗
Review
clawguard-auditor
Embedded reverse shell command patterns
Manual upload Apr 3, 2026
Open Report ↗