Trust Assessment
bags received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unverified skill file downloads during installation, Private key export functionality exposed to agent, Potential command injection via unsanitized variables in shell commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Private key export functionality exposed to agent The skill explicitly documents an API endpoint (`/agent/wallet/export`) that allows an AI agent to export a user's private key for signing. While the skill includes a warning against storing private keys, the very existence and documentation of this functionality presents a severe security risk. A compromised or manipulated agent could be instructed to export a private key and subsequently exfiltrate or misuse it, leading to the complete compromise of associated cryptocurrency funds. This also indicates an excessive permission granted to the agent to perform such a highly sensitive operation. Re-evaluate the necessity of exposing private key export functionality to an AI agent. If absolutely essential, implement stringent security controls such as multi-factor authentication, human-in-the-loop approval for each export, time-limited keys, or single-use keys. Ensure the exported key is immediately purged from memory after its intended use and never persisted. | LLM | skill.md:100 | |
| HIGH | Unverified skill file downloads during installation The skill's installation instructions use `curl` to download multiple skill-related files (e.g., `SKILL.md`, `CULTURE.md`, `skill.json`) from `https://bags.fm` directly into the local filesystem (`~/.bags/skills/`). There are no integrity checks (such as cryptographic hashes or signatures) to verify the authenticity or integrity of these downloaded files. A compromise of the `bags.fm` domain or its hosting infrastructure could lead to the installation of malicious skill components on the agent's system. Implement integrity verification for all downloaded skill files. This could involve providing cryptographic hashes (e.g., SHA256) that the agent can verify after download, or using a signed package distribution mechanism. | LLM | skill.md:24 | |
| HIGH | Potential command injection via unsanitized variables in shell commands The skill provides numerous `curl` examples and explicitly declares `curl`, `jq`, and `bc` as required binaries in `skill.json`, indicating an expectation for the agent to execute shell commands. Variables such as `YOUR_MOLTBOOK_USERNAME`, `YOUR_JWT_TOKEN`, `YOUR_API_KEY`, `YOUR_WALLET`, and `other_agent_name` are shown being directly interpolated into shell commands (e.g., URL paths, JSON payloads). If these variables are populated from untrusted user input or external sources without proper sanitization or quoting, an attacker could inject malicious shell commands or manipulate API requests. A specific example is the 'Launch for Another Agent' section where `jq` output is used to populate `$BAGS_AGENT_WALLET`, which is then directly embedded into a JSON payload within a `curl` command. Implement robust input sanitization and shell quoting for all variables derived from user input or external sources before they are used in shell commands. For constructing JSON payloads, use a dedicated JSON library or tool that properly escapes values, rather than direct string concatenation in shell scripts, to prevent injection. Ensure that any data extracted from external sources (like `jq` output) is validated and properly escaped before being used in subsequent commands. | LLM | skill.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/03170505e52cd6c3)
Powered by SkillShield