Skill Trust Decision

complianceradar-ai-monitor

Name: complianceradar-ai-monitor Trust Review Report
Item: complianceradar-ai-monitor
Rating: 58
Author: ClawSafe

Documentation-only skill with no implementation code but exhibits suspicious branding ('empire-skills') and placeholder API keys that could be mistaken for real configuration.

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 1

Artifacts 9

Violations 0

Findings 4

Most direct threat evidence

High API Key

API_KEY="your-sec-api-key"

Why this conclusion was reached

1/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Block

Hidden execution and egress

3 high-risk artifacts or egress signals were extracted.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

Suspicious branding reference +15

Homepage links to 'github.com/ncreighton/empire-skills' - 'empire' in security context often references post-exploitation frameworks

Hardcoded placeholder API keys +12

Lines 116, 119, 132 contain example API keys in configuration format that could be copy-pasted as real credentials

No implementation code +10

Skill describes capabilities but contains zero scripts or code - cannot verify security claims made in documentation

Unverifiable security claims +5

Claims 'API keys never logged or transmitted' but no code exists to verify this behavior

Most important evidence

Medium Doc Mismatch

Suspicious 'empire-skills' branding

The homepage references 'github.com/ncreighton/empire-skills'. The term 'empire' in security contexts often references post-exploitation frameworks. This branding choice is unusual for a compliance monitoring tool and warrants verification.

SKILL.md:4

Verify this repository is legitimate. Cross-reference with official sources before trusting this skill.

Medium Doc Mismatch

Placeholder API keys in example configuration

Lines 116, 119, and 132 contain API key placeholders (e.g., 'your-sec-api-key') in a format that resembles real configuration. While clearly intended as examples, users may copy-paste these as actual credentials.

SKILL.md:116

Use clearly marked placeholder syntax like '<YOUR_SEC_API_KEY>' or 'INSERT_YOUR_KEY_HERE' to prevent accidental credential misconfiguration.

Medium Doc Mismatch

Unverifiable security claims

The documentation makes security claims ('API keys never logged or transmitted to third parties') without any implementation code to verify. This is classic doc-to-code mismatch - the behavior cannot be audited.

SKILL.md:249

Since no code exists, these claims cannot be verified. Request or verify actual implementation code before trusting security guarantees.

Low Supply Chain

No implementation code present

This SKILL.md describes capabilities but contains zero executable code, scripts, or implementation files. The skill cannot function as documented.

SKILL.md:1

Confirm the actual implementation exists in the referenced repository before use. This may be an incomplete or placeholder skill.

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred NONE

No file operations present - documentation only

Network Pass

Declared READ

→

Inferred NONE

_meta declares curl/jq binaries but no implementation code exists to verify network calls

Shell Pass

Declared NONE

→

Inferred NONE

No shell execution code present

Environment Pass

Declared READ

→

Inferred NONE

_meta declares env vars but no code reads them - can't verify actual usage

Suspicious artifacts and egress

High API Key

API_KEY="your-sec-api-key"

SKILL.md:116

High API Key

API_KEY="your-fda-api-key"

SKILL.md:119

High API Key

API_KEY="your-google-api-key"

SKILL.md:132

Medium External URL

https://www.sec.gov/cgi-bin/browse-edgar

SKILL.md:115

Medium External URL

https://open.fda.gov/

SKILL.md:118

Medium External URL

https://hooks.slack.com/services/YOUR/WEBHOOK/URL

SKILL.md:125

Medium External URL

https://www.sec.gov/cgi-bin/browse-edgar.

SKILL.md:314

Medium External URL

https://api.fda.gov/status.json

SKILL.md:320

Info Email

[email protected]

SKILL.md:384

Dependencies and supply chain

There are no structured dependency warnings.

File composition

1 files · 387 lines

Markdown 1 files · 387 lines

Files of concern · 1

SKILL.md Markdown · 387 lines

Suspicious 'empire-skills' branding · Placeholder API keys in example configuration · Unverifiable security claims · No implementation code present · API_KEY="your-sec-api-key" · API_KEY="your-fda-api-key" · API_KEY="your-google-api-key" · https://www.sec.gov/cgi-bin/browse-edgar · https://open.fda.gov/ · https://hooks.slack.com/services/YOUR/WEBHOOK/URL · https://www.sec.gov/cgi-bin/browse-edgar. · https://api.fda.gov/status.json · [email protected]

Security positives

No executable code present - cannot perform malicious actions without additional implementation

No base64-encoded payloads or obfuscated commands detected

No credential exfiltration mechanisms present

No network requests to suspicious IPs or domains

No sensitive path access patterns detected