Trust Assessment
bnb-chain received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Private Key Exposed via Command-Line Argument, Unpinned Dependency Version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Private Key Exposed via Command-Line Argument The skill's `bnb.js` script allows users to pass their private key directly as a command-line argument using the `--key` option. This is a severe security vulnerability as private keys passed in this manner can be easily exposed in system process lists (`ps aux`), shell history files, and various logging mechanisms, leading to credential harvesting and potential loss of funds. The `getKey` function explicitly retrieves this argument. Remove the functionality to accept private keys via command-line arguments. Enforce the use of environment variables (e.g., `BNB_PRIVATE_KEY`) or implement a secure prompt for private key input that does not expose the key in plaintext in process information or logs. | LLM | bnb.js:133 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ethers' is not pinned to an exact version ('^6.16.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/clawzai/bnb-chain/package.json | |
| LOW | Unpinned Dependency Version The `ethers` dependency in `package.json` is specified with a caret (`^`) version range (`^6.16.0`). While `ethers` is a reputable library, using unpinned dependencies can lead to non-deterministic builds and potentially introduce unexpected changes or vulnerabilities if a malicious update is pushed to a minor or patch version, or if a transitive dependency has issues. For a skill handling financial transactions, pinning exact versions is a stronger security practice. Pin the `ethers` dependency to an exact version (e.g., `"ethers": "6.16.0"`) to ensure deterministic builds and prevent unintended updates. Regularly review and manually update dependencies to incorporate security fixes. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/2b5d27e82d986699)
Powered by SkillShield