Trust Assessment
blankspace-registration received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Instruction to store sensitive cryptographic keys in local file.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Instruction to store sensitive cryptographic keys in local file The skill instructs the user to save the `custodyMnemonic` (24-word seed phrase) and `signerPrivateKey` (ED25519 private key) in a local JSON file (`~/.config/blankspace/credentials.json`). While a warning about keeping them secret is provided, storing these highly sensitive cryptographic keys in a plain text file accessible by the agent's environment poses a significant risk. If the agent's workspace or the file system is compromised, these credentials could be exfiltrated, leading to full control over the Farcaster identity. Recommend storing `custodyMnemonic` and `signerPrivateKey` in environment variables, a dedicated secrets manager, or a secure vault, rather than in a plain text file. Emphasize that these keys grant full control over the Farcaster identity and should be protected with the highest level of security. | LLM | SKILL.md:60 | |
| MEDIUM | Unpinned npm dependency version Dependency 'viem' is not pinned to an exact version ('^2.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/willyogo/blankspace-registration/package.json | |
| MEDIUM | Heavy reliance on unauthenticated third-party APIs for critical operations The skill's core functionality, including Farcaster ID registration, signer authorization, and profile updates, relies on two external APIs: Clawcaster (`https://clawcaster.web.app/api`) and Blankspace (`https://sljlmfmrtiqyutlxcnbo.supabase.co/functions/v1/register-agent`). The Blankspace API explicitly states 'No API key or auth header needed,' indicating it's publicly accessible. This means the skill (and by extension, the user's agent) sends sensitive transaction data and signed messages to these services without explicit authentication of the agent itself. A compromise or malicious intent of these third-party services could lead to data manipulation, unauthorized actions, or credential harvesting (of signed messages/public keys). Advise users to exercise caution and thoroughly vet the trustworthiness of third-party services before using skills that rely on them for critical operations. For the skill developer, consider adding explicit warnings within the skill about the trust assumption, and explore options for more robust authentication or decentralized alternatives if available. | LLM | SKILL.md:137 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/willyogo/blankspace-registration/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/8179b845f103b2e1)
Powered by SkillShield