Trust Assessment
avantis received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 5 critical, 1 high, 0 medium, and 0 low severity. Key findings include Hardcoded Private Key, Private Key Read from Plaintext File, Documentation of Insecure Private Key Storage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Hardcoded Private Key A cryptocurrency private key is hardcoded directly in the source code. This exposes the key to anyone with access to the skill's code, leading to immediate and complete compromise of the associated wallet and funds. Remove hardcoded private keys. Use secure secret management solutions (e.g., environment variables, dedicated secret stores, hardware security modules) that require proper authentication and authorization. For development, use testnet keys or mock data. | LLM | scripts/check-positions.py:5 | |
| CRITICAL | Hardcoded Private Key A cryptocurrency private key is hardcoded directly in the source code. This exposes the key to anyone with access to the skill's code, leading to immediate and complete compromise of the associated wallet and funds. Remove hardcoded private keys. Use secure secret management solutions (e.g., environment variables, dedicated secret stores, hardware security modules) that require proper authentication and authorization. For development, use testnet keys or mock data. | LLM | scripts/test-avantis-simple.py:6 | |
| CRITICAL | Private Key Read from Plaintext File The skill reads a cryptocurrency private key from a plaintext file (`/home/ubuntu/clawd/MAIN_WALLET.txt`). Storing private keys in unencrypted, accessible files is a critical security vulnerability, as any process with read access to this file can compromise the associated wallet and funds. Do not store private keys in plaintext files. Implement secure secret management practices, such as using environment variables, encrypted key vaults, or dedicated secret management services. Ensure proper access controls are in place for any sensitive files. | LLM | scripts/close.py:10 | |
| CRITICAL | Private Key Read from Plaintext File The skill reads a cryptocurrency private key from a plaintext file (`/home/ubuntu/clawd/MAIN_WALLET.txt`). Storing private keys in unencrypted, accessible files is a critical security vulnerability, as any process with read access to this file can compromise the associated wallet and funds. Do not store private keys in plaintext files. Implement secure secret management practices, such as using environment variables, encrypted key vaults, or dedicated secret management services. Ensure proper access controls are in place for any sensitive files. | LLM | scripts/positions.py:8 | |
| CRITICAL | Private Key Read from Plaintext File The skill reads a cryptocurrency private key from a plaintext file (`/home/ubuntu/clawd/MAIN_WALLET.txt`). Storing private keys in unencrypted, accessible files is a critical security vulnerability, as any process with read access to this file can compromise the associated wallet and funds. Do not store private keys in plaintext files. Implement secure secret management practices, such as using environment variables, encrypted key vaults, or dedicated secret management services. Ensure proper access controls are in place for any sensitive files. | LLM | scripts/trade.py:10 | |
| HIGH | Documentation of Insecure Private Key Storage The skill's documentation explicitly states that the main wallet's private key is stored in a plaintext file (`/home/ubuntu/clawd/MAIN_WALLET.txt`). While this is documentation rather than executable code, it highlights and confirms an insecure practice that makes the private key vulnerable to unauthorized access and compromise. Update documentation to reflect secure private key management practices. Ensure that the actual private key is never stored in plaintext files or hardcoded. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/83c109323c963bb4)
Powered by SkillShield