Trust Assessment
Belief Markets received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 3 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Arbitrary File Read via BELIEF_MARKETS_KEYPAIR_PATH.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary File Read via BELIEF_MARKETS_KEYPAIR_PATH The skill allows loading a Solana keypair from a path specified by the `BELIEF_MARKETS_KEYPAIR_PATH` environment variable. The `config.js` module uses `os.homedir()` to expand `~` in this path, meaning an attacker can specify *any* file path within the user's home directory. The `skill.js` module then reads the content of this file using `fs.readFileSync` and attempts to parse it as JSON. This allows an attacker to read arbitrary files from the user's home directory, potentially leading to credential harvesting (e.g., SSH keys, AWS credentials, other secret files) or general data exfiltration. Restrict `KEYPAIR_PATH` to a directory within the skill's own sandbox or a designated secure location that does not allow arbitrary paths in `os.homedir()`. If `os.homedir()` expansion is strictly necessary, implement robust validation to ensure the path is within an allowed, non-sensitive subdirectory, or prompt the user for explicit confirmation for paths outside the skill's directory. For keypairs, consider using secure key management systems or environment variables for the key itself, rather than file paths. | LLM | config.js:20 | |
| HIGH | Arbitrary File Write/Read via BELIEF_MARKETS_DATA_DIR The skill's `DATA_DIR`, `LEDGER_PATH`, and `STATE_PATH` are configurable via environment variables (`BELIEF_MARKETS_DATA_DIR`, `BELIEF_MARKETS_LEDGER_PATH`, `BELIEF_MARKETS_STATE_PATH`). The `config.js` module uses `os.homedir()` to expand `~` in these paths. This allows an attacker to direct the skill to write its ledger and state files (containing trading history, NAV snapshots, etc.) to arbitrary locations within the user's home directory. This could lead to data exfiltration (writing sensitive trading data to an attacker-controlled location), denial of service (overwriting critical system files), or information disclosure (reading sensitive files if paths are pointed to existing files). Restrict `DATA_DIR` and related paths to a directory within the skill's own sandbox. If `os.homedir()` expansion is necessary, implement robust validation to ensure the path is within an allowed, non-sensitive subdirectory, or prompt the user for explicit confirmation for paths outside the skill's directory. The default `defaultDataDir` is relative to `__dirname`, which is good, but the `envPath` override bypasses this safety. | LLM | config.js:17 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/af271/belief-markets/skill.js:2 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/af271/belief-markets/state.test.js:162 | |
| MEDIUM | Unpinned npm dependency version Dependency '@solana/web3.js' is not pinned to an exact version ('^1.87.6'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/af271/belief-markets/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/73eaa874ed050f5a)
Powered by SkillShield