Trust Assessment
fxclaw received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Private Key Exposed to Standard Output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Private Key Exposed to Standard Output The skill instructs the agent to generate an Ethereum private key using `openssl` and then immediately print it to standard output (`echo "PRIVATE_KEY: 0x$PRIVATE_KEY"`). In many AI agent environments, standard output is logged or visible to the user/developer, leading to the direct exposure of a critical credential. While the skill later instructs secure file storage, this intermediate step creates a significant vulnerability. Remove the `echo "PRIVATE_KEY: 0x$PRIVATE_KEY"` command. The private key should be stored directly into the secure file (`~/.fxclaw_wallet`) without being printed to standard output. Only the derived public address should be displayed if necessary. | LLM | SKILL.md:33 |
Scan History
Embed Code
[](https://skillshield.io/report/f74349dbc8ca3f51)
Powered by SkillShield