Security Audit

etherlink

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

etherlink received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill requires direct exposure of EVM private key.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Skill requires direct exposure of EVM private key The skill's setup instructions in `SKILL.md` explicitly require the user to provide an `EVM_PRIVATE_KEY` as an environment variable to the MCP server. This means the skill's runtime environment will have direct access to a highly sensitive credential. While the provided content doesn't show the MCP server's code, the instruction itself creates a significant attack surface. A compromised MCP server or a vulnerability in its handling of this key could lead to the loss of funds or control over associated blockchain accounts. 1. Avoid direct private key exposure: Explore alternative secure key management solutions, such as using hardware security modules (HSMs), secure enclaves, or external key management services. 2. Use limited-privilege keys: If a private key is absolutely necessary, ensure it's a 'burner' key with minimal funds and permissions, used only for specific, limited operations. 3. Environment variable security: Emphasize that environment variables are not secure for long-term storage of sensitive credentials and should be protected with strict access controls. 4. Just-in-time access: Implement mechanisms where the private key is only available for the duration of a transaction and then securely wiped from memory. 5. Documentation: Clearly document the risks associated with providing a private key and best practices for its secure handling.	LLM	SKILL.md:18

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/954f7dda93823176.svg)](https://skillshield.io/report/954f7dda93823176)