Security Audit

data-nexus-sentinel-teneo

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

data-nexus-sentinel-teneo received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Direct use of Ethereum private key with third-party SDK.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Security Findings1

Severity	Finding	Layer	Location
CRITICAL	Direct use of Ethereum private key with third-party SDK The skill instructs users to provide their full Ethereum private key directly as an environment variable (`PRIVATE_KEY`) and pass it to the `TeneoSDK` constructor. This exposes a highly sensitive credential to a third-party library and its associated backend (`wss://backend.developer.chatroom.teneo-protocol.ai/ws`). A compromise of the `TeneoSDK` package or the Teneo Protocol backend could lead to the exfiltration and misuse of the user's private key, resulting in the loss of all associated crypto assets. While this is the intended functionality of the SDK, it represents a critical security risk for users. Advise users on the extreme risks of using a full private key. Explore alternative authentication mechanisms such as: 1. Key Management Services (KMS): Integrate with secure KMS solutions. 2. Limited-scope keys/permissions: If possible, use keys with restricted permissions or derived keys for specific operations. 3. Wallet Connect/EIP-1193: Allow users to connect their existing wallets (e.g., MetaMask) without exposing their private key directly to the agent or SDK. The SDK would then sign transactions via the connected wallet. 4. Hardware Security Modules (HSM): For high-value operations, recommend or integrate with HSMs. 5. Clear warnings: Provide prominent warnings about the risks involved and best practices for securing private keys.	LLM	SKILL.md:70

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9b1e7124f0e82940.svg)](https://skillshield.io/report/9b1e7124f0e82940)