Trust Assessment
aimine received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 6 critical, 2 high, 3 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Sensitive environment variable access: $HOME, Potential command injection through unsanitized API keys.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/nancyuahon/aimine/SKILL.md:61 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/nancyuahon/aimine/SKILL.md:70 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/nancyuahon/aimine/SKILL.md:80 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/nancyuahon/aimine/SKILL.md:104 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/nancyuahon/aimine/SKILL.md:105 | |
| CRITICAL | Potential command injection through unsanitized API keys When configuring the miner with user-provided keys, the `PRIVATE_KEY` and `OPENAI_KEY` are passed directly as command-line arguments to `npx ts-node src/index.ts init --private-key <key> --openai-key <key>`. If the agent does not rigorously sanitize or escape these user-provided `<key>` values before interpolating them into the shell command, an attacker could inject arbitrary shell commands (e.g., `abc; rm -rf /; #`) leading to remote code execution. The agent must strictly sanitize or escape all user-provided input before interpolating it into shell commands. A safer approach is to use environment variables or temporary files with restricted permissions for sensitive data, ensuring the target script reads them securely. | LLM | SKILL.md:42 | |
| HIGH | Sensitive credentials exposed via command-line arguments When configuring the miner with user-provided keys, sensitive credentials such as `PRIVATE_KEY` and `OPENAI_KEY` are passed directly as command-line arguments. Command-line arguments are often visible in process lists (`ps aux`), system logs, or shell history, making these credentials vulnerable to exposure to other users or processes on the system. Avoid passing sensitive credentials as command-line arguments. Instead, use environment variables (as suggested by the `--from-env` option for existing keys) or secure input methods (e.g., reading from a temporary file with restricted permissions) to provide credentials to the script. | LLM | SKILL.md:42 | |
| HIGH | Unpinned Git repository clone introduces supply chain risk The skill clones the `https://github.com/AIMineRes/PoAIW.git` repository without specifying a particular commit hash or tag. This means that any future changes to the upstream repository, including the introduction of malicious code, would be automatically pulled and executed by the skill without explicit review or update by the skill author. This creates a significant supply chain vulnerability. Pin the Git repository clone to a specific, immutable commit hash (e.g., `git clone <repo> <dir> && cd <dir> && git reset --hard <commit_hash>`). Regularly review and update the pinned commit to incorporate legitimate updates. | LLM | SKILL.md:30 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/nancyuahon/aimine/SKILL.md:25 | |
| MEDIUM | Unpinned npm dependencies introduce supply chain risk The `npm install` command is executed after cloning the repository. While `package.json` might specify version ranges, without a strictly pinned `package-lock.json` (which itself is part of the unpinned git repo) or explicit version pinning for all dependencies, `npm install` can pull different versions of packages over time. This can lead to non-deterministic builds and potential introduction of vulnerabilities or malicious code if a dependency is compromised. Ensure the cloned repository includes a `package-lock.json` file that is committed and reviewed. For critical skills, consider vendoring dependencies or using a private package registry with strict version control. This remediation is secondary to pinning the Git repository itself. | LLM | SKILL.md:31 | |
| MEDIUM | Broad execution scope and filesystem access The skill operates by cloning a repository and executing `npm install`, `node`, and `npx ts-node` within the user's home directory (`$HOME/PoAIW`). This grants the skill and the code it executes broad read/write access to the user's home directory and the ability to execute arbitrary code. While necessary for its stated function, this broad scope, especially when combined with supply chain risks, increases the potential impact of a compromise. If possible, restrict the skill's execution environment to a more isolated or sandboxed directory. Minimize the scope of filesystem access to only what is strictly necessary. Ensure all executed scripts are thoroughly vetted and that the environment variables are limited to only what is required. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/af7bacc6f14e15e7)
Powered by SkillShield