Trust Assessment
clawcast-wallet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 4 critical, 2 high, 5 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 31/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/tezatezaz/clawcast-wallet/scripts/01_install_cast.sh:22 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/tezatezaz/clawcast-wallet/scripts/01_install_cast.sh:19 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/tezatezaz/clawcast-wallet/scripts/01_install_cast.sh:15 | |
| CRITICAL | state_set function vulnerable to command injection via key argument The `state_set` function in `scripts/00_lib.sh` constructs a shell command to write to or modify `state.env` using the `key` argument directly. If the `key` argument contains shell metacharacters (e.g., `;`, `$(...)`, backticks), these could be executed when `state.env` is sourced by other scripts. Although the provided skill scripts use fixed string literals for keys, a malicious prompt could instruct the agent to call `state_set` with a user-controlled, unsanitized key, leading to arbitrary command execution. Sanitize or strictly validate the `key` argument to `state_set` to ensure it only contains safe characters (e.g., alphanumeric, underscores). Alternatively, use a more robust configuration management system that does not involve sourcing shell scripts for state. | LLM | scripts/00_lib.sh:133 | |
| HIGH | Wallet password stored in plaintext file The wallet password entered by the user is saved in plaintext to `${HOME}/.agent-wallet/pw.txt`. While file permissions are set to `600` (owner read/write only) and the file is deleted upon wallet removal, storing a sensitive credential like a password in plaintext on the filesystem increases the risk of compromise if the agent's host environment is breached or if the file is accessed by other processes with sufficient privileges. Avoid storing sensitive credentials in plaintext. Consider using a secure credential manager, an encrypted vault, or prompting the user for the password each time it's needed for an operation. If temporary storage is absolutely necessary, ensure it's encrypted and deleted immediately after use. | LLM | scripts/03_password.sh:29 | |
| HIGH | Foundry installation via `curl | bash` from external URL The `scripts/01_install_cast.sh` script installs Foundry (which includes `cast`) by piping the output of `curl -L https://foundry.paradigm.xyz` directly to `bash`. This method is highly susceptible to supply chain attacks. If `foundry.paradigm.xyz` were compromised, arbitrary code could be executed on the agent's host system without prior verification, leading to full system compromise. Use a more secure and verifiable installation method. This typically involves downloading a specific version of a package, verifying its cryptographic signature (e.g., GPG, checksums), and then installing it. Avoid piping `curl` output directly to `bash` from external sources. | LLM | scripts/01_install_cast.sh:20 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/clawcast-wallet/scripts/00_lib.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/clawcast-wallet/scripts/01_install_cast.sh:22 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/tezatezaz/clawcast-wallet/scripts/01_install_cast.sh:22 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/tezatezaz/clawcast-wallet/scripts/remove_wallet.sh:17 | |
| MEDIUM | Use of `sudo` for installing `at` command The `scripts/02_wallet.sh` script attempts to install the `at` command using `sudo sh -c "$installer"`. While the `$installer` variable is derived from fixed strings and not directly user-controlled, the use of `sudo` grants elevated privileges to the script. This increases the attack surface and potential impact if there were an unforeseen vulnerability in the installation command or the `at` package itself. Re-evaluate the necessity of `at` or its installation method. If `at` is critical, consider if the agent's environment can be pre-configured with it, or if there's a way to install it without requiring `sudo` (e.g., user-level package managers, if applicable). If `sudo` is unavoidable, ensure the command executed is as minimal and secure as possible. | LLM | scripts/02_wallet.sh:79 | |
| LOW | Temporary storage of mnemonic words and private keys in files Mnemonic words are temporarily saved to `~/.agent-wallet/mnemonic-words-<timestamp>.txt` and private keys to `~/.agent-wallet/privatekey.tmp`. While strict file permissions (`chmod 600`) are applied, and deletion is scheduled (`at now + 1 hour`) for mnemonics or immediate for private keys, any temporary storage of sensitive credentials on disk introduces a window of vulnerability. This risk is mitigated by the strict permissions and cleanup mechanisms. Ensure that temporary files for sensitive data are created with the most restrictive permissions possible (`umask 077` is used, which is good) and are deleted as soon as they are no longer needed. Explore options for in-memory handling of such data to minimize disk exposure. | LLM | scripts/02_wallet.sh:140 |
Scan History
Embed Code
[](https://skillshield.io/report/15447b5c482eb7c2)
Powered by SkillShield