Trust Assessment
celo-stablecoins received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Direct private key usage in code example, Private key exposed via command-line argument in example.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct private key usage in code example The skill provides a code example that directly uses a placeholder private key string (`"0xYourPrivateKey"`) to initialize a wallet client. This practice, if followed by a user with a real private key, encourages hardcoding or embedding sensitive private keys directly in source code, which is a severe security risk. Private keys should always be handled securely, for instance, by reading from environment variables, using secure key management systems, or integrating with hardware wallets, and never directly exposed in code. Replace the direct private key usage with a secure method, such as reading from environment variables (e.g., `process.env.PRIVATE_KEY`) or a secure vault. Add a clear warning to the user about the dangers of exposing private keys. | LLM | SKILL.md:126 | |
| HIGH | Private key exposed via command-line argument in example The skill provides a `cast` command example that passes a private key via a command-line argument (`--private-key $PRIVATE_KEY`). While `$PRIVATE_KEY` suggests an environment variable, this method can still expose private keys in shell history, process listings, or logs, making them vulnerable to compromise. It also implicitly encourages users to store private keys in easily accessible environment variables without additional protection. Secure alternatives like interactive prompts, hardware wallets, or dedicated key management tools should be preferred for sensitive operations. Advise users to use more secure methods for signing transactions, such as interactive prompts, hardware wallets, or secure key management services, rather than directly passing private keys via command-line arguments or environment variables. If environment variables are used, emphasize the critical importance of securing the environment where these variables are stored. | LLM | SKILL.md:160 |
Scan History
Embed Code
[](https://skillshield.io/report/f8d69d4d5cebf028)
Powered by SkillShield