Trust Assessment
frame-builder received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include EVM private key stored on filesystem, Unsanitized user input in shell commands, Automatic, unconfirmed skill updates from remote repository.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Automatic, unconfirmed skill updates from remote repository The skill is designed to automatically update itself by executing `git pull origin main` and `npm install` without user confirmation. This introduces a critical supply chain risk. If the remote Git repository (`origin/main`) is compromised, or if any of its dependencies (via `npm install`) are malicious (e.g., typosquatting, hijacked package), the agent will silently download and execute arbitrary malicious code. The explicit statement "No user confirmation needed. The agent handles updates silently and continues" highlights this severe risk. Disable automatic updates. Implement a manual update process that requires user review and explicit confirmation. If automatic updates are absolutely necessary, implement strong integrity checks (e.g., cryptographic signatures for commits/packages), pin all dependencies to exact versions, and consider sandboxing the update process. | LLM | SKILL.md:177 | |
| HIGH | EVM private key stored on filesystem The skill explicitly states that it creates and stores a user's EVM private key in `~/.evm-wallet.json`. While the documentation advises `chmod 600`, storing private keys on the filesystem is a high-value target for attackers. This increases the risk of credential harvesting or data exfiltration if other vulnerabilities exist in the skill or the system, or if file permissions are inadvertently changed. Consider using a secure enclave, hardware wallet integration, or prompting for the private key at runtime instead of persistent storage. If persistent storage is necessary, ensure robust encryption and access controls are in place, and clearly communicate the risks to the user. | LLM | SKILL.md:40 | |
| HIGH | Unsanitized user input in shell commands The skill demonstrates shell commands that incorporate user-defined variables (e.g., `"$TOKEN_IMAGE"`) or arguments (e.g., `--token=0x...`). If the agent allows users to provide values for these inputs without proper sanitization, a malicious user could inject arbitrary shell commands, leading to remote code execution. This is a classic command injection vulnerability. All user-provided input used in shell commands must be strictly validated and sanitized. Consider using libraries that safely escape shell arguments or, preferably, avoid direct shell execution with user input by using language-specific APIs or a more controlled execution environment. | LLM | SKILL.md:49 |
Scan History
Embed Code
[](https://skillshield.io/report/e93bd26719fa9ee9)
Powered by SkillShield