Security Audit

bluepages

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

bluepages received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external dependency via npx, Requirement for highly sensitive Ethereum private key.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

2 findings

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Requirement for highly sensitive Ethereum private key The skill explicitly requires an Ethereum `PRIVATE_KEY` for x402 pay-per-request functionality. An Ethereum private key grants full control over associated cryptocurrency funds. While the documentation includes a warning to use a dedicated, funded-only-as-needed agent wallet, requiring such a high-value credential significantly increases the risk of severe financial loss if the skill's environment is compromised, or if there are vulnerabilities in the skill's implementation that could lead to its exposure or misuse. This makes the skill a high-value target for attackers. Re-evaluate the necessity of requiring a raw `PRIVATE_KEY`. If unavoidable, implement robust security measures for its storage and usage (e.g., hardware security modules, secure enclaves, strict access controls). Strongly advise users to use a dedicated, minimally funded wallet. Consider alternative authentication methods that do not require direct private key exposure to the skill.	LLM	SKILL.md:16
HIGH	Unpinned external dependency via npx The skill requires installing an external package directly from a GitHub repository using `npx github:bluepagesdoteth/bluepages-mcp`. This package is not pinned to a specific version or commit hash, making it vulnerable to supply chain attacks. If the upstream repository is compromised, malicious code could be introduced and executed by the skill without explicit user consent or review. The `-y` flag further automates this process. Pin the dependency to a specific version or commit hash (e.g., `npx github:bluepagesdoteth/bluepages-mcp@v1.2.3` or `npx github:bluepagesdoteth/bluepages-mcp#<commit_hash>`). Consider auditing the external package for vulnerabilities before use.	LLM	SKILL.md:10

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1b9de8270bb7e58d.svg)](https://skillshield.io/report/1b9de8270bb7e58d)