Trust Assessment
kaspa-dev received a trust score of 69/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Suspicious import: requests, Insecure Private Key Logging in Example, Private Key Passed via Command-Line Argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Private Key Passed via Command-Line Argument The `scripts/build-transaction.py` script's example usage and function signature instruct users to pass a private key (WIF format) directly as a command-line argument. This is highly insecure as command-line arguments can be visible in process lists, shell history, and logs, making the private key vulnerable to exposure. If this script were executed by an LLM with access to such a key, it would directly use it, posing a significant credential harvesting risk. Avoid passing private keys directly as command-line arguments. Instead, recommend using environment variables, secure input prompts, or integrating with a secure key management system (e.g., a hardware wallet, KMS, or encrypted file) to handle sensitive credentials. | LLM | scripts/build-transaction.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/codecustard/kaspa-dev/scripts/build-transaction.py:25 | |
| MEDIUM | Insecure Private Key Logging in Example The JavaScript example code in the SKILL.md explicitly logs a generated private key to the console. While this is an example for demonstration, it normalizes and encourages an insecure practice of exposing sensitive credentials. If a user were to adapt this code for a real application, or if an LLM were to interpret this as a recommended practice, it could lead to the compromise of private keys. Remove or redact the private key from the `console.log` statement in the example. Instead, suggest secure storage or handling mechanisms for private keys, or only log the public address. | LLM | SKILL.md:40 | |
| MEDIUM | API Key Handling in RPC Client The `KaspaRPCClient` in `scripts/build-transaction.py` takes an `api_key` in its constructor and uses it in an `Authorization` header for API requests. While the provided snippet does not show how this `api_key` is obtained, its presence indicates that a sensitive credential is being handled. Insecure methods of providing this key (e.g., hardcoding, insecure command-line arguments, or unencrypted configuration files) could lead to credential exposure. Ensure that API keys are loaded from secure sources, such as environment variables, a dedicated secrets management service, or encrypted configuration files, rather than being hardcoded or passed through insecure channels. Provide clear instructions on how to securely configure this API key. | LLM | scripts/build-transaction.py:140 |
Scan History
Embed Code
[](https://skillshield.io/report/f9171cd2db232855)
Powered by SkillShield