Security Audit

openant-ai/openant-skills:skills/check-wallet

github.com/openant-ai/openant-skills

AI SkillCommit 0ad720024045

CAUTION

Scanned 26 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openant-ai/openant-skills:skills/check-wallet received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via Unrestricted Bash Arguments, Unpinned Dependency in Bash Command (Supply Chain Risk).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on March 5, 2026 (commit 0ad72002). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

55%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Potential Command Injection via Unrestricted Bash Arguments The skill's declared permissions allow the execution of `npx @openant-ai/cli@latest wallet ` and `npx @openant-ai/cli@latest status`. The wildcard `` permits the LLM to append arbitrary arguments to these shell commands. If the LLM is prompted to include shell metacharacters (e.g., `;`, `&&`, `\|`, `$()`, `` ` ``) within these arguments, it could lead to arbitrary command execution on the host system. For example, an attacker could craft a prompt that causes the LLM to generate an argument like `--solana-rpc 'https://example.com; rm -rf /'`, leading to a critical system compromise. Restrict the allowed arguments for Bash commands. Instead of ``, specify a precise list of allowed flags and their expected value types (e.g., `--json`, `--solana-rpc <URL>`). Implement robust input validation and sanitization within the skill's logic or the underlying `npx` command to prevent shell metacharacters from being interpreted as commands. Consider using a more structured tool invocation mechanism that doesn't rely on direct shell command string concatenation for user-controlled input.	Static	Manifest
HIGH	Unpinned Dependency in Bash Command (Supply Chain Risk) The skill uses `npx @openant-ai/cli@latest` to execute the OpenAnt CLI. Relying on the `@latest` tag for a package means that any new version published by the package maintainer (or a malicious actor if the package is compromised) will be automatically downloaded and executed. This introduces a significant supply chain risk, as a compromised or malicious `latest` version of `@openant-ai/cli` could lead to arbitrary code execution, data exfiltration, or credential harvesting. Pin the dependency to a specific, immutable version. For example, use `npx @openant-ai/cli@1.2.3` instead of `@latest`. Regularly review and update the pinned version after verifying its integrity and security. This ensures that the skill always executes a known and trusted version of the CLI tool.	Static	Manifest

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/d6ea28bf954f90d0.svg)](https://skillshield.io/report/d6ea28bf954f90d0)