Trust Assessment
clawpay received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Insecure handling of private keys, Unpinned dependency in installation instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Insecure handling of private keys The provided `send-private.mjs` script and instructions explicitly encourage users to hardcode their wallet private key directly into the script (`'0xYOUR_PRIVATE_KEY'`) or pass it as an environment variable on the command line (`WALLET_KEY=0xYourPrivateKey`). Hardcoding private keys is a severe security vulnerability, as it can lead to the permanent loss of funds if the script is accidentally committed to a public repository or if the file is accessed by unauthorized parties. Passing sensitive credentials via command-line arguments can also expose them in shell history or process lists. Advise users to use a secure method for handling private keys, such as a dedicated key management service, hardware wallet, or encrypted secrets store. If using an environment variable, ensure it's not exposed in shell history or process lists. Never hardcode private keys directly into source code. For AI agents, integrate with secure wallet providers that abstract key management. | LLM | SKILL.md:10 | |
| HIGH | Unpinned dependency in installation instructions The installation instruction `npm install ethers` does not specify a version for the `ethers` package. This can lead to supply chain vulnerabilities where a malicious or buggy new version of the package could be automatically installed, potentially compromising the user's system or funds. Without a pinned version, the integrity and security of the dependency cannot be guaranteed over time. Always pin dependency versions to specific, known-good versions (e.g., `npm install ethers@5.7.0` or `npm install ethers@^5.7.0` and commit `package-lock.json`). Regularly audit and update dependencies to mitigate risks. | LLM | SKILL.md:69 |
Scan History
Embed Code
[](https://skillshield.io/report/1eabdeb9e278f366)
Powered by SkillShield