Trust Assessment
credex-protocol received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Untrusted content attempts to manipulate host LLM instructions, Skill can exfiltrate agent's public wallet address and transaction data to arbitrary URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to manipulate host LLM instructions The `SKILL.md` file, which is treated as untrusted input, contains explicit instructions for the host LLM, such as "Pre-Flight Check: Before running any command, verify `WALLET_PRIVATE_KEY` is set. If missing, prompt the user." This attempts to override or inject new instructions into the LLM's operational directives, which is a direct prompt injection attempt. Remove all direct instructions to the host LLM from untrusted skill content. LLM instructions should be provided out-of-band or through trusted configuration. | LLM | SKILL.md:41 | |
| HIGH | Skill can exfiltrate agent's public wallet address and transaction data to arbitrary URL The `scripts/client.ts` file uses `CONFIG.AGENT_URL` for API calls (e.g., `/borrow`, `/repay`). This URL is configurable via the `CREDEX_AGENT_URL` environment variable. If an attacker can control this environment variable, they can redirect these API calls to a malicious server, thereby exfiltrating the agent's public wallet address (`wallet.address`) and transaction-related data (e.g., `amount` to borrow/repay). While the private key is not directly exfiltrated, the public address and transaction intent are sensitive information. Restrict `CREDEX_AGENT_URL` to a whitelist of trusted domains or ensure it cannot be easily overridden by untrusted input. If dynamic configuration is necessary, implement robust validation and user consent mechanisms for external network requests. | LLM | scripts/client.ts:45 | |
| MEDIUM | Unpinned npm dependency version Dependency '@circle-fin/adapter-viem-v2' is not pinned to an exact version ('^1.4.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/capgoblin/credex-protocol/package.json | |
| INFO | Dependencies in package.json use caret ranges, allowing minor/patch updates The `package.json` file specifies dependencies using caret (`^`) version ranges (e.g., `^1.4.0`). While `package-lock.json` pins exact versions, relying solely on caret ranges in `package.json` can lead to unexpected dependency updates if the lock file is not strictly used or if new dependencies are added. This increases the risk of introducing vulnerabilities from newer, untested versions of libraries. Consider pinning exact versions for all production dependencies in `package.json` to ensure deterministic builds and prevent unintended updates. Regularly audit and update `package-lock.json`. | LLM | package.json:16 |
Scan History
Embed Code
[](https://skillshield.io/report/ab6a9d19d872ec38)
Powered by SkillShield