Trust Assessment
karmabank received a trust score of 59/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 1 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Direct source dependency in package.json, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct source dependency in package.json Dependency '@circle/openclaw-wallet-skill' uses non-registry source 'file:../skills/circle-wallet', which increases supply-chain risk. Prefer vetted registry releases pinned to exact versions. | Dependencies | skills/abdhilabs/karmabank-minimal/package.json | |
| HIGH | Local file dependency used The `package.json` specifies a dependency using a local file path (`file:../skills/circle-wallet`). This bypasses standard package manager security checks, version pinning, and public auditing, making the skill vulnerable to any issues or malicious code present in the locally referenced skill. A compromise of the `circle-wallet` skill would directly affect `karmabank` without typical supply chain safeguards. Replace local file dependencies with published, version-pinned packages from a trusted registry. If the dependency is internal, consider using a private package registry or vendoring the code with strict review and version control. | LLM | package.json:34 | |
| MEDIUM | Unpinned npm dependency version Dependency '@circle-fin/developer-controlled-wallets' is not pinned to an exact version ('^10.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/abdhilabs/karmabank-minimal/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/abdhilabs/karmabank-minimal/package.json | |
| LOW | Unpinned dependencies The `package.json` uses caret (`^`) and tilde (`~`) ranges for most dependencies, allowing minor or patch updates to be installed automatically. While convenient, this introduces a risk if a dependency maintainer pushes a malicious update or a breaking change that could lead to unexpected behavior or vulnerabilities. It also hinders reproducible builds. Pin dependencies to exact versions (e.g., `10.1.0` instead of `^10.1.0`) to ensure reproducible builds and prevent unexpected updates. Use a lock file (e.g., `package-lock.json` or `yarn.lock`) and regularly audit dependencies for known vulnerabilities. | LLM | package.json:33 |
Scan History
Embed Code
[](https://skillshield.io/report/3a106e8e391851ca)
Powered by SkillShield