Trust Assessment
gekko-yield received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Direct Execution of External API-Provided Transaction Data, Unpinned Dependencies in package.json with npm install option.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Execution of External API-Provided Transaction Data The `compound.ts` script fetches transaction data (including `to` address, `data` payload, and `value`) from the Odos API (`https://api.odos.xyz/sor/assemble`) and directly executes it via `walletClient.sendTransaction`. This design implicitly trusts the external Odos API to provide legitimate and non-malicious transaction details. If the Odos API were compromised or became malicious, it could instruct the user's wallet to perform arbitrary, harmful actions (e.g., drain funds, approve malicious contracts) without explicit client-side validation of the transaction's intent. The `simulate: false` flag in the Odos assemble request means the simulation is not happening on the Odos side for the user, and the skill itself does not perform a client-side simulation of the Odos-generated transaction before sending. Implement robust client-side validation of the transaction data received from Odos (e.g., decode the `data` field to verify the target function and arguments, ensure the `to` address is an expected swap router, and confirm the `value` and `gas` are reasonable). Alternatively, perform a client-side simulation of the Odos-generated transaction using `publicClient.simulateContract` before sending it. Explicitly warn users about the trust placed in the Odos API for transaction construction. | LLM | scripts/compound.ts:160 | |
| HIGH | Unpinned Dependencies in package.json with npm install option The `scripts/package.json` file uses caret (`^`) ranges for its dependencies (`viem`, `tsx`, `typescript`), allowing minor and patch updates. While `pnpm-lock.yaml` provides exact pinning for `pnpm` users, the `SKILL.md` explicitly suggests `pnpm install # or npm install`. If a user chooses `npm install`, the `pnpm-lock.yaml` will be ignored, and `npm` will resolve dependencies based on the `package.json`'s loose version ranges. This introduces a supply chain risk, as a malicious update to any dependency (even a transitive one) could be pulled in without explicit review, potentially leading to arbitrary code execution or data exfiltration. Remove `npm install` as a suggested installation method from `SKILL.md` and explicitly instruct users to use `pnpm install` to leverage the lockfile for dependency pinning. Alternatively, pin all dependencies to exact versions in `package.json` (e.g., `viem: "2.21.0"`) to ensure consistent installations regardless of the package manager. | LLM | scripts/package.json:7 | |
| HIGH | Direct Exposure of Private Key via Environment Variable The skill requires the user to provide their raw private key as an environment variable (`PRIVATE_KEY`). This grants the skill's process full, unrestricted control over the associated cryptocurrency wallet. While the skill includes recommendations for using a dedicated hot wallet with limited funds and states that keys are not logged or written to disk, the fundamental design exposes the private key directly to the execution environment. Any vulnerability within the skill's codebase, its dependencies, or the underlying operating system could lead to the compromise of this private key and the loss of all funds in the wallet. This represents an excessive permission model for an automated agent skill. Explore alternative, more secure methods for transaction signing that do not require exposing the raw private key to the skill's process. Examples include integrating with hardware wallets, secure enclaves, or external signing services that only sign pre-approved, user-verified transactions. If direct private key exposure is unavoidable for the current architecture, strongly emphasize the use of a dedicated, low-value hot wallet and provide clear instructions on how to minimize risk (e.g., revoke approvals after use, regularly sweep funds). | LLM | SKILL.md:60 | |
| MEDIUM | Unpinned npm dependency version Dependency 'viem' is not pinned to an exact version ('^2.21.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/gekkoai001/gekkoai-yield/scripts/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/4131e6d88ffd35dc)
Powered by SkillShield