Trust Assessment
fluxa-agent-wallet received a trust score of 88/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via unsanitized payment link URL in curl.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via unsanitized payment link URL in curl The skill instructs the agent to execute a `curl` command: `PAYLOAD=$(curl -s <payment_link_url>)`. If `<payment_link_url>` is sourced from untrusted user input (e.g., a user-provided payment link) without proper validation and sanitization, an attacker could inject shell metacharacters (e.g., `http://example.com; rm -rf /`) into the URL. This could lead to arbitrary command execution on the host system where the agent is running. Implement robust validation and sanitization for any user-provided `payment_link_url` before constructing and executing the `curl` command. Ensure that only valid URLs are processed and that no shell metacharacters can be injected. Consider using a safer method for fetching URLs that does not involve direct shell execution with unsanitized input, or explicitly quote/escape the URL within the shell command. | LLM | SKILL.md:105 |
Scan History
Embed Code
[](https://skillshield.io/report/426562ee51b5a910)
Powered by SkillShield