Trust Assessment
jb-explorer-ui received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Client-Side XSS via Unsanitized Error Messages, Client-Side XSS via Unsanitized ABI Content, Supply Chain Risk: External CDN for Ethers.js.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Client-Side XSS via Unsanitized Error Messages The skill directly inserts error messages (`e.message`) into the DOM using `innerHTML` without proper sanitization. An attacker could potentially craft a malicious error message (e.g., from a compromised smart contract or API response) containing JavaScript, leading to Cross-Site Scripting (XSS) when the error is displayed to the user. Sanitize all user-controlled or external content before inserting it into `innerHTML`. For error messages, consider using `textContent` instead of `innerHTML` to prevent HTML parsing, or use a robust sanitization library like DOMPurify. | LLM | SKILL.md:197 | |
| HIGH | Client-Side XSS via Unsanitized ABI Content The skill constructs HTML dynamically by embedding values from the fetched contract ABI (e.g., `fn.name`, `inp.name`, `inp.type`) directly into `innerHTML`. If a malicious ABI is loaded (e.g., from a compromised Etherscan API or a manipulated local ABI file), it could contain arbitrary HTML or JavaScript, leading to Cross-Site Scripting (XSS) when the function details are rendered. Sanitize all ABI-derived content (`fn.name`, `inp.name`, `inp.type`) before inserting it into `innerHTML`. Prefer using `textContent` for displaying text, or employ a robust HTML sanitization library if HTML formatting is required. | LLM | SKILL.md:230 | |
| MEDIUM | Supply Chain Risk: External CDN for Ethers.js The skill loads the `ethers.js` library from a third-party CDN (`https://cdn.jsdelivr.net`). While `jsdelivr` is a reputable CDN and the version is pinned (`ethers@6`), a compromise of the CDN provider or the `ethers.js` package itself could lead to the delivery of malicious code to users. This is a common supply chain risk for web applications relying on external resources. Consider self-hosting critical JavaScript libraries to reduce reliance on external CDNs. If using a CDN is necessary, implement Subresource Integrity (SRI) to ensure that fetched resources have not been tampered with. The platform hosting the skill would need to support SRI. | LLM | SKILL.md:109 | |
| MEDIUM | Supply Chain Risk: External ABI Fetching from Etherscan-like APIs The `fetchABI` function retrieves contract ABIs from external Etherscan-like APIs (e.g., `api.etherscan.io`). The integrity of the skill's functionality relies on these external services providing accurate and uncompromised ABI data. A compromise of these APIs could result in the skill loading a malicious ABI, potentially leading to users interacting with unintended contract functions or signing malicious transactions. While relying on trusted blockchain explorers is common, consider implementing additional validation or warnings for fetched ABIs. For highly sensitive operations, users should be advised to verify the ABI independently. If possible, provide an option to manually input or verify ABIs from trusted sources. | LLM | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/76d86cc41a77980c)
Powered by SkillShield