Security Audit
call-smart-contracts
github.com/algorand-devrel/algorand-agent-skillsTrust Assessment
call-smart-contracts received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Insecure Handling of Blockchain Wallet Mnemonic.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit aafc1c60). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Insecure Handling of Blockchain Wallet Mnemonic The skill instructs the agent to write a raw 24-word mnemonic phrase, which serves as a private key for an Algorand wallet, into a plaintext '.env' file. Persisting unencrypted cryptographic keys to the filesystem is a major security risk. If this file is compromised, read by another process, or accidentally logged or committed to version control, it will lead to a complete and irreversible loss of all funds associated with that wallet. The agent should avoid writing raw private keys or mnemonics to disk. Instead, it should leverage a secure secret management service (e.g., cloud provider KMS, HashiCorp Vault) or rely on a pre-configured, secure environment where secrets are injected as environment variables at runtime without being persisted in the project's source code. If filesystem storage is the only option, the agent's host environment must enforce strict file permissions (e.g., 0600) and audit access to the '.env' file. | Unknown | SKILL.md:136 |
Scan History
Embed Code
[](https://skillshield.io/report/7d217520c243be01)
Powered by SkillShield