Trust Velocity Calculator

PassAudited by ClawScan on May 1, 2026.

Overview

The visible artifacts describe a benign trust-score calculator with no code, credentials, persistence, or account access, though it declares curl and python3 requirements without explaining their use.

This appears safe to use as a manual calculator/reporting aid. Treat its trust score as advisory, verify the input data yourself, and clarify why curl and python3 are required before allowing the agent to run commands.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user may be asked to have curl and python3 available even though the visible skill does not explain when they would be used.

Why it was flagged

The skill is presented as instruction-only and the visible content does not show why these command-line dependencies are needed. This is a small provenance/dependency clarity issue rather than evidence of malicious behavior.

Skill content

requires:
      bins: [curl, python3]
      env: []

Recommendation

Ask the maintainer to document or remove the binary requirements, and only allow command execution if a specific user-approved workflow clearly needs it.