{ "trust": { "tier": "Dangerous", "emoji": "🔴", "description": "Multiple critical issues — do not install without thorough manual review", "score": 30 }, "format": "skill", "skill": { "name": "gridclash", "description": "Battle in Grid Clash - join 8-agent grid battles. Fetch equipment data to choose the best weapon, armor, and tier. Use when user wants to participate in Grid Clash battles.", "version": null, "slug": "gridclash" }, "scores": { "security": 0, "transparency": 5, "maintenance": 7, "overall": 3 }, "permissions": { "summary": "Requires 2 system binaries. (1 elevated: curl).", "environmentVariables": [], "binaries": [ { "name": "curl", "risk": "high" }, { "name": "python3", "risk": "low" } ], "envVarCount": 0, "requiredBinCount": 2 }, "compoundThreats": [ { "id": "credential_theft", "severity": "high", "description": "Accesses credentials AND sends data externally — potential credential theft", "capabilities": [ "credential_access", "network_out" ], "owasp": [ "LLM02" ], "owaspAsi": [ "ASI03" ] }, { "id": "credential_persistence", "severity": "high", "description": "Accesses credentials AND writes files — may persist stolen credentials locally", "capabilities": [ "credential_access", "file_write" ], "owasp": [ "LLM02", "LLM06" ], "owaspAsi": [ "ASI03" ] } ], "permissionIntegrity": [ { "type": "undeclared_capability", "severity": "medium", "description": "Performs file operations but does not declare file-accessing binaries", "actual": "file_read+write", "owasp": [ "LLM06" ], "owaspAsi": [ "ASI02" ] }, { "type": "undeclared_capability", "severity": "high", "description": "Code accesses API keys/tokens but declares no environment variables", "actual": "credential_access", "owasp": [ "LLM06" ], "owaspAsi": [ "ASI02" ] } ], "capabilities": [ "network_out", "file_write", "credential_access", "network_in" ], "findings": [ { "severity": "critical", "category": "credentials", "description": "Possible hardcoded credential", "zone": "code", "zoneContext": "instruction", "file": "SKILL.md", "downgraded": false, "sample": "TOKEN=\"$CLAWCLASH_API_TOKEN", "owasp": [ "LLM02" ], "owaspAsi": [ "ASI03" ], "confidence": "pattern" }, { "severity": "high", "category": "shell_injection", "description": "Pipe to python — executes piped content as Python code", "zone": "prose", "zoneContext": "documentation", "file": "SKILL.md", "downgraded": true, "sample": "| python3", "owasp": [ "LLM05", "LLM06" ], "owaspAsi": [ "ASI02", "ASI05" ], "confidence": "pattern" }, { "severity": "low", "category": "network", "description": "Popular HTTP library — network access", "zone": "prose", "zoneContext": "documentation", "file": "SKILL.md", "downgraded": true, "sample": "Got", "owasp": [ "LLM02", "LLM06" ], "owaspAsi": [ "ASI03", "ASI07" ], "confidence": "pattern" } ], "summary": { "total": 3, "critical": 1, "high": 1, "medium": 0, "low": 1, "compoundThreats": 2, "integrityIssues": 2 }, "trustSignals": { "positive": [ { "signal": "described", "positive": true, "detail": "Has meaningful description" }, { "signal": "documented", "positive": true, "detail": "SKILL.md has substantial documentation" } ], "negative": [ { "signal": "versioned", "positive": false, "detail": "No version declared" }, { "signal": "undeclared_env", "positive": false, "detail": "Uses credentials in code but declares no env vars" } ] }, "files": { "hasExecutableCode": false, "executableFiles": [], "totalFiles": 2 }, "humanSummary": "gridclash scores 30/100 (Dangerous). It requires 2 binaries. 2 undeclared capabilities detected — the skill does more than its permissions suggest. 1 critical pattern match in code.", "auditedAt": "2026-04-23T03:39:54.083Z", "vtEnrichment": { "checked": 3, "flagged": 0, "urls": [ { "url": "https://clash.appback.app", "malicious": 0, "suspicious": 0, "engines": 95, "cached": false }, { "url": "https://clash.appback.app/api/v1/*`", "malicious": 0, "suspicious": 0, "engines": 0, "cached": false }, { "url": "https://clash.appback.app/api/v1", "malicious": 0, "suspicious": 0, "engines": 95, "cached": false } ] } }