Trust Assessment
ethereum-read-only received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via `eval` with untrusted input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via `eval` with untrusted input The `search_transfer_events` function in the provided `event-log-searcher.sh` script constructs a shell command string (`cmd`) using user-provided arguments (`$contract_address`, `$from_block`, `$to_block`, `$sender`, `$receiver`). This string is then executed using `eval "$cmd"`. If any of these arguments contain shell metacharacters (e.g., `;`, `|`, `$(...)`, `` ` ``), an attacker could inject arbitrary shell commands, leading to remote code execution. Avoid using `eval` with user-controlled or untrusted input. Instead, construct the command as an array and execute it directly (e.g., `command=("cast" "logs" ... "$sender")` then `"${command[@]}"`). Alternatively, rigorously sanitize all user inputs to escape or remove shell metacharacters before passing them to `eval`. | LLM | SKILL.md:170 |
Scan History
Embed Code
[](https://skillshield.io/report/b1227cdd127a10af)
Powered by SkillShield