Which skills recently failed
or triggered trust review
This is not a popularity board. It shows recently reviewed skills that the system believes should be blocked or at least manually reviewed. The point is not how popular they are, but why they should not be installed blindly.
High Risk
Bounty Hunter Agent
Hardcoded DeepSeek API Key in Documentation
Manual upload Apr 4, 2026
Open Report ↗
High Risk
kuaidi-query
Hardcoded API Credentials Exposed
Manual upload Apr 4, 2026
Open Report ↗
Review
promptbuddy
Missing Implementation Files
Manual upload Apr 4, 2026
Open Report ↗
Review
chinese-bank-forex-rates
Missing implementation file
Manual upload Apr 4, 2026
Open Report ↗
Review
lessac_offline_voice_system
False claim of offline operation
Manual upload Apr 4, 2026
Open Report ↗
Review
swarmrecall
Comprehensive agent context exfiltration to third-party
Manual upload Apr 4, 2026
Open Report ↗
Review
pumpclaw-agent
Deposit wallet private keys stored in plaintext SQLite
Manual upload Apr 4, 2026
Open Report ↗
Review
xhs-skill-pusher
Shell execution not declared in SKILL.md
Manual upload Apr 4, 2026
Open Report ↗
Review
openclaw-usage-manager
API tokens stored in plaintext on disk
Manual upload Apr 4, 2026
Open Report ↗
Review
search
Hardcoded API Credential in Source Code
Manual upload Apr 4, 2026
Open Report ↗
Review
x-daily-report
Hardcoded API Key in Source Code
Manual upload Apr 4, 2026
Open Report ↗
High Risk
aibtc
Unpinned Remote Code Execution via npx
Manual upload Apr 4, 2026
Open Report ↗
Review
oracle-report
Hardcoded QVeris API Key
Manual upload Apr 4, 2026
Open Report ↗
Review
clawclone
Missing implementation file
Manual upload Apr 4, 2026
Open Report ↗
Review
微信助手智能网关 (wechat-ai-bridge)
Undeclared external network communication
Manual upload Apr 4, 2026
Open Report ↗
Review
polymarket-opportunities-scanning
Shell execution undeclared in SKILL.md
Manual upload Apr 4, 2026
Open Report ↗