Trust Assessment
btc15-autonomous-market received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 2 medium, and 2 low severity. Key findings include Missing required field: name, Node lockfile missing, Unverified External Repository Clone.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct Storage of Private Keys in Environment File The skill instructs users to store sensitive private keys (`MAKER_KEY`, `TRADER_KEY`, `RESOLVER_KEY`) directly in a `.env` file. While necessary for the agents' operation, this practice exposes high-value credentials to potential compromise if the skill's codebase is malicious, or if the `.env` file is inadvertently exposed (e.g., committed to version control, accessed by other processes). Advise users on secure secret management practices. For production use, consider using dedicated secret management services (e.g., AWS Secrets Manager, HashiCorp Vault) or secure environment variable injection mechanisms instead of storing keys directly in files. Emphasize strict `.gitignore` rules for `.env` files. | LLM | SKILL.md:43 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/kamal-sutra/btc15-autonomous-market/SKILL.md:1 | |
| MEDIUM | Unverified External Repository Clone The skill instructs users to clone an external Git repository ('https://github.com/kamal-sutra/clawbtc15.git'). This introduces a supply chain risk, as the integrity and security of this external repository cannot be guaranteed. A compromised or malicious repository could inject harmful code into the user's system. Recommend auditing the external repository for malicious code. For production environments, consider forking the repository and maintaining a trusted version, or at least pinning to a specific commit hash to prevent unexpected changes. | LLM | SKILL.md:30 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/kamal-sutra/btc15-autonomous-market/package.json | |
| LOW | Unpinned Python Dependencies The skill instructs users to install Python packages ('web3', 'python-dotenv', 'requests') without specifying exact versions. This can lead to supply chain vulnerabilities if a future version of any dependency introduces malicious code or breaking changes. It also makes builds non-deterministic. Pin all Python dependencies to specific versions (e.g., `web3==X.Y.Z`) and use a `requirements.txt` file, ideally with package hashes, to ensure deterministic and secure installations. | LLM | SKILL.md:35 |
Scan History
Embed Code
[](https://skillshield.io/report/23671c89167f0b21)
Powered by SkillShield