Trust Assessment
bitagent-skill received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Potential Command Injection via User-Controlled Arguments, Direct Use of Sensitive Private Key from Environment Variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User-Controlled Arguments The skill's documentation explicitly instructs the agent to execute a shell command (`npx tsx scripts/index.ts`) with user-provided arguments such as `--name`, `--symbol`, `--token`, and `--amount`. If the agent constructs this command string by directly interpolating user input without proper sanitization or shell escaping, a malicious user could inject arbitrary shell commands (e.g., by providing input like `"--name \"mytoken\"; rm -rf /;"`). This allows for arbitrary code execution on the host system. The agent must be instructed to strictly sanitize and escape all user-provided arguments before constructing and executing shell commands. Ideally, arguments should be passed as an array to a subprocess execution function (e.g., `subprocess.run(['npx', 'tsx', 'scripts/index.ts', 'launch', '--name', user_name], check=True)` in Python) rather than interpolating into a single shell string. If string interpolation is unavoidable, robust shell escaping for each argument is critical. | LLM | SKILL.md:25 | |
| HIGH | Direct Use of Sensitive Private Key from Environment Variable The skill requires and directly accesses a `PRIVATE_KEY` environment variable, which represents a full control over a cryptocurrency wallet. This key is used to initialize a `viem` wallet client, sign SIWE messages, and interact with blockchain networks and external APIs. While necessary for the skill's functionality, the direct handling of such a sensitive credential makes it a high-value target for exfiltration if any other vulnerability (e.g., command injection, prompt injection leading to code modification) were to be exploited. The `SKILL.md` explicitly states this requirement, and `scripts/index.ts` directly uses `process.env.PRIVATE_KEY`. Emphasize the extreme sensitivity of the `PRIVATE_KEY`. Implement robust input validation and strict access controls for the agent executing this skill. Consider using a dedicated 'hot wallet' with limited funds for agent operations rather than a primary wallet. For production environments, explore more secure secret management solutions like hardware security modules (HSMs), secure enclaves, or cloud-based secret managers that provide temporary, scoped access to credentials rather than direct environment variable exposure. | LLM | scripts/index.ts:89 | |
| HIGH | Excessive Permissions Granted by Private Key The skill, by its design, operates with the full permissions of the cryptocurrency wallet associated with the provided `PRIVATE_KEY`. This includes the ability to deploy new tokens, buy/sell existing tokens, and sign arbitrary messages, effectively granting complete control over the wallet's assets and on-chain actions. While these permissions are inherent to the skill's intended functionality, they represent a significant security risk if the skill's execution environment or the agent's instructions are compromised, potentially leading to unauthorized transactions or asset loss. Implement strict access controls and continuous monitoring for the agent executing this skill. Ensure the agent's prompts and internal logic are highly constrained and validated to prevent any misuse of these powerful capabilities. If possible, use a dedicated wallet with minimal funds (a 'hot wallet') for agent operations, separate from any primary or cold storage wallets. Regularly audit the agent's interactions and the skill's usage patterns. | LLM | SKILL.md:16 | |
| MEDIUM | Unpinned npm dependency version Dependency '@bitagent/sdk' is not pinned to an exact version ('^3.1.4'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/parasyte-x/openclaw-bitagent/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/1a8485fca4901c2a)
Powered by SkillShield