Trust Assessment
bridging received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unpinned dependency in skill manifest, Direct interaction with user's cryptocurrency wallet.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct interaction with user's cryptocurrency wallet The provided code snippets demonstrate direct interaction with the user's `window.ethereum` object to create a wallet client and initiate blockchain transactions (`walletClient.writeContract`). This grants the skill broad access to the user's connected wallet, enabling it to propose transactions that could transfer funds or interact with smart contracts. While this is the intended functionality for a bridging skill, it represents a high-risk operation. If the skill's logic or the referenced contract addresses/ABIs were compromised or malicious, it could lead to unauthorized loss of user funds. Users should be explicitly warned about the financial risks associated with blockchain transactions and the necessity of verifying all transaction details before approval. For skill developers, ensure all contract addresses and ABIs are thoroughly audited, verified, and immutable. Implement robust input validation for `amount` and other transaction parameters to prevent manipulation. | LLM | SKILL.md:69 | |
| MEDIUM | Unpinned dependency in skill manifest The skill specifies dependencies (`viem`, `@lifi/sdk`) using caret (`^`) ranges, allowing automatic updates to minor and patch versions. This introduces a supply chain risk, as a malicious or buggy update to these libraries could be automatically pulled in, potentially leading to security vulnerabilities or unexpected behavior. It is best practice to pin dependencies to exact versions to ensure deterministic builds and prevent unintended changes. Pin dependencies to exact versions (e.g., `"viem": "2.x.y"`) or use a lock file to ensure deterministic dependency resolution. | LLM | SKILL.md:139 | |
| MEDIUM | Unpinned dependency in skill manifest The skill specifies dependencies (`viem`, `@lifi/sdk`) using caret (`^`) ranges, allowing automatic updates to minor and patch versions. This introduces a supply chain risk, as a malicious or buggy update to these libraries could be automatically pulled in, potentially leading to security vulnerabilities or unexpected behavior. It is best practice to pin dependencies to exact versions to ensure deterministic builds and prevent unintended changes. Pin dependencies to exact versions (e.g., `"@lifi/sdk": "3.x.y"`) or use a lock file to ensure deterministic dependency resolution. | LLM | SKILL.md:146 |
Scan History
Embed Code
[](https://skillshield.io/report/ed1ad79af1f1780e)
Powered by SkillShield