Trust Assessment
Decision Economic Optimizer received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Potential hardcoded secret (high entropy), Skill requires full control over EVM wallet via private key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill requires full control over EVM wallet via private key The skill explicitly requires the `WALLET_PRIVATE_KEY` environment variable, which grants full signing authority and control over the associated EVM-compatible wallet. While the skill's documentation (SKILL.md and skill.json) strongly advises users to employ a dedicated wallet with limited funds and to rotate credentials, the skill itself does not programmatically enforce these critical security mitigations. A compromised agent or a user's failure to adhere to best practices could lead to significant financial loss up to the entire balance of the provided wallet. This represents a high-privilege permission that, if misused or compromised, has severe consequences. To enhance security and reduce reliance on user discipline, consider implementing more robust credential management: 1. **Integrate with delegated contract wallets:** As noted in `skill.json`'s `future_consideration`, implement support for smart contract wallets that can enforce granular spending limits, whitelisted addresses, and other security policies at the protocol level (e.g., ERC-2771/GSN or custom spending limit contracts). 2. **Support remote signing services:** Explore integration with secure remote signing services (e.g., AWS KMS, Cloud HSM) that can manage private keys in a hardened environment and potentially offer audit logging and policy enforcement. 3. **Avoid raw private key exposure:** Prioritize credential formats that do not expose the raw private key directly to the agent's environment, such as encrypted keystore files with strong password protection (if the autonomous model can be adapted) or hardware signers (if per-transaction approval can be managed). | LLM | SKILL.md:170 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.57) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/zapkid/which-llm/SKILL.md:437 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.68) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/zapkid/which-llm/SKILL.md:455 |
Scan History
Embed Code
[](https://skillshield.io/report/f2caed7b785430fa)
Powered by SkillShield