Trust Assessment
agent-wallet received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Mnemonic and Wallet ID stored on filesystem and explicitly exposed, Potential for command injection through unsanitized arguments, Unpinned `npx` dependency allows arbitrary package versions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Mnemonic and Wallet ID stored on filesystem and explicitly exposed The skill stores the BIP39 mnemonic (which represents the private keys) and the `walletId` (which can act as an API key) in `~/.mdk-wallet/config.json`. This file is a sensitive target for any other skill or process with filesystem read access. Furthermore, the command `npx @moneydevkit/agent-wallet init --show` explicitly outputs the mnemonic to stdout, creating a direct path for credential exfiltration if an agent is prompted to execute it. 1. Implement robust access controls for `~/.mdk-wallet/config.json` to prevent unauthorized reading. 2. Avoid storing mnemonics directly on the filesystem in plain text. Consider using secure key storage mechanisms (e.g., OS keychains, hardware security modules) if available in the agent's environment. 3. Remove or restrict the `init --show` command, or ensure its output is never exposed to untrusted parties. If the mnemonic must be displayed, it should be done with extreme caution and only in secure, human-controlled environments, not programmatically by an agent. | LLM | SKILL.md:13 | |
| HIGH | Potential for command injection through unsanitized arguments Several `npx` commands take user-controlled arguments such as `<destination>`, `<amount_sats>`, `--description`, `--port`, and `--network`. If these arguments are not properly sanitized or escaped by the calling agent before being passed to the shell, an attacker could inject arbitrary shell commands. For example, a malicious `<destination>` could be crafted to execute `"; rm -rf /"` or similar. The agent framework or the skill's wrapper should ensure that all user-provided arguments passed to shell commands are strictly validated and properly escaped to prevent command injection. Consider using a library that safely constructs command-line arguments. | LLM | SKILL.md:35 | |
| HIGH | Unpinned `npx` dependency allows arbitrary package versions The skill uses `npx @moneydevkit/agent-wallet` without specifying a version. This means `npx` will always fetch and execute the `latest` version of the package from the npm registry. This introduces a supply chain risk, as a malicious update to the `@moneydevkit/agent-wallet` package by its maintainers or via a compromise of the npm registry could lead to arbitrary code execution within the agent's environment. Pin the dependency to a specific, known-good version (e.g., `npx @moneydevkit/agent-wallet@1.2.3`). Regularly review and update the pinned version to incorporate security fixes. | LLM | SKILL.md:9 | |
| MEDIUM | Skill starts a local network daemon, potentially exposing an attack surface The skill explicitly states that it "runs a local Lightning node on `:3456`" which auto-starts. This means the skill initiates a network service within the agent's execution environment. If the agent's environment has broad network permissions, this daemon could be accessible from outside the agent's isolated context, potentially exposing it to network-based attacks or allowing it to be used as an egress point. Ensure the agent's execution environment is properly sandboxed and network-isolated. If the daemon must be accessible, implement strict firewall rules to limit access to trusted sources only (e.g., localhost). Consider making the daemon's network binding configurable to `127.0.0.1` by default. | LLM | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/2939221d74a45245)
Powered by SkillShield