Trust Assessment
Agent Wallet received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Arbitrary EVM Transaction Execution Capability, Agent Handles Sensitive API Key, API Endpoint Configurable via Environment Variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary EVM Transaction Execution Capability The skill provides an endpoint `/api/skills/evm-wallet/send-transaction` that allows the agent to send arbitrary EVM `calldata` to any specified contract address (`to`). While the skill mentions policies as a mitigation, this capability grants the agent broad control over the wallet's assets and interactions. If an attacker can manipulate the `to`, `data`, or `value` parameters provided to the agent, they could craft highly malicious transactions, potentially leading to loss of funds or unauthorized contract interactions, limited only by the owner's policies. Implement strict input validation and sanitization for `to`, `data`, and `value` parameters if they are derived from untrusted sources. Ensure that the agent's internal logic for constructing these transactions is robust and adheres to the principle of least privilege. Emphasize to users the importance of setting strong policies for this capability. | LLM | SKILL.md:149 | |
| HIGH | Agent Handles Sensitive API Key The skill requires the agent to handle an `API_KEY` for authentication, which grants access to the wallet's functionalities within defined policies. Although the private key is kept server-side, the `API_KEY` itself is a sensitive credential. If this `API_KEY` is compromised (e.g., through insecure storage, logging, or exfiltration by the agent's environment), an attacker could gain unauthorized control over the agent's wallet, potentially leading to financial loss. The skill explicitly instructs to 'Always store the API key from wallet creation'. Advise users on secure storage practices for the `API_KEY` within the agent's environment (e.g., using secure secret management systems, environment variables, or encrypted storage). Implement mechanisms to prevent the `API_KEY` from being logged or exposed in debugging output. Consider short-lived tokens or more granular access control if feasible. | LLM | SKILL.md:60 | |
| MEDIUM | API Endpoint Configurable via Environment Variable The `SAFESKILLS_API_URL` can be overridden by an environment variable. While providing flexibility, this introduces a supply chain risk. If an attacker can control the environment where the agent operates, they could maliciously set `SAFESKILLS_API_URL` to point to a rogue server. This rogue server could then intercept the agent's `API_KEY` and transaction data, or return malicious responses, leading to data exfiltration or unauthorized actions. Emphasize the critical importance of securing the agent's execution environment and preventing unauthorized modification of environment variables. If possible, restrict the ability to override this variable in production environments or implement cryptographic verification of the endpoint. | LLM | SKILL.md:30 | |
| MEDIUM | Potential for JSON Payload Manipulation in `curl` Commands The skill provides `curl` examples that include JSON payloads (e.g., for `create wallet`, `transfer`, `swap`, `send-transaction`). If an LLM agent constructs these JSON payloads dynamically using untrusted user input without proper sanitization and escaping, an attacker could inject malicious JSON structures. While the `curl -d` argument uses single quotes, preventing direct shell injection *within* the JSON string, an attacker could still manipulate the JSON structure (e.g., adding unexpected fields, changing values in unintended ways) if the LLM's internal logic for generating the JSON is not robust. This could lead to unintended API calls or data manipulation. When constructing JSON payloads from untrusted input, the agent's internal logic must strictly validate and sanitize all input fields. Use a robust JSON serialization library that handles escaping correctly. Avoid directly concatenating user input into JSON strings. | LLM | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/353865f9e74db1f3)
Powered by SkillShield