Trust Assessment
go4me received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, JSON Injection in `send_xch` curl command, Use of sensitive credentials via environment variables.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/koba42corp/go4me/SKILL.md:53 | |
| HIGH | JSON Injection in `send_xch` curl command The `mojos` value, which is derived from user input (e.g., '1 XCH', '1 mojo'), is directly interpolated into a JSON payload within a `curl` command without explicit escaping. If the user-provided amount contains a double quote (`"`) or other JSON-breaking characters, an attacker could inject arbitrary JSON fields into the request sent to the local `send_xch` endpoint. This could potentially alter transaction parameters or other sensitive data in the wallet transaction. Ensure that all user-controlled input, such as the `mojos` value, is properly escaped (e.g., by replacing `"` with `\"`) or strictly validated to be numeric before being interpolated into JSON strings. Using a dedicated JSON library or tool to construct the payload programmatically is generally safer than manual string concatenation. | LLM | SKILL.md:52 | |
| INFO | Use of sensitive credentials via environment variables The skill accesses sensitive credentials (`$CERT`, `$KEY`) from environment variables for authentication with a local `sage-wallet` service. While the `curl` command targets a local endpoint (`127.0.0.1`), the presence and use of these credentials highlight the need for robust credential management practices in the skill's execution environment. Ensure these variables are securely stored and only accessible to authorized processes, following the principle of least privilege. Implement secure credential management best practices. Avoid hardcoding credentials. Use secrets management systems provided by the platform or environment. Ensure the skill's execution environment has the principle of least privilege applied regarding access to these credentials, and that they are not logged or exposed inadvertently. | LLM | SKILL.md:52 |
Scan History
Embed Code
[](https://skillshield.io/report/8dbdfe6013f42aa2)
Powered by SkillShield