Trust Assessment
arkade received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Private Key Stored on Disk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned npm dependency version Dependency '@arkade-os/sdk' is not pinned to an exact version ('^0.3.12'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/tiero/arkade-wallet/package.json | |
| MEDIUM | Private Key Stored on Disk The skill automatically generates and stores the user's private key in a local configuration file at `~/.arkade-wallet/config.json`. While file permissions are set restrictively (`0o600`), storing private keys on disk in a predictable location increases the risk of credential exposure if the agent's environment is compromised or if the agent is inadvertently prompted to reveal file contents. This is a sensitive operation for an AI agent environment. For AI agent skills, consider alternative secure storage mechanisms (e.g., OS-level secret management, encrypted vaults) or ensure the agent is explicitly designed *not* to expose file system contents or sensitive configuration files. If local storage is necessary, ensure robust encryption at rest for the configuration file. | LLM | cli/arkade.mjs:48 |
Scan History
Embed Code
[](https://skillshield.io/report/e8f21dbc3177c87f)
Powered by SkillShield