Trust Assessment
kaspa-wallet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 2 critical, 6 high, 3 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/manyfestation/kaspa/install.py:137 | |
| CRITICAL | Credential harvesting Bulk environment variable dump Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/manyfestation/kaspa/install.py:132 | |
| HIGH | Unsafe environment variable passthrough Bulk environment variable harvesting Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/manyfestation/kaspa/install.py:132 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | skills/manyfestation/kaspa/SKILL.md:1 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_command'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/manyfestation/kaspa/install.py:137 | |
| HIGH | Broad tool permissions declared in manifest The skill declares broad permissions including 'Bash', 'Read', 'Write', 'Glob', 'Grep', and 'Task'. 'Bash' allows arbitrary command execution, 'Write' allows arbitrary file modification, and 'Task' allows for complex, potentially privileged operations. These permissions grant the skill extensive control over the environment, significantly increasing the attack surface if the skill is compromised or misused. Review and restrict 'allowed-tools' to the absolute minimum necessary for the skill's functionality. For example, if only Python scripts are run, 'Bash' might not be strictly necessary, or its scope could be limited. | LLM | SKILL.md | |
| HIGH | Arbitrary executable path via KASPA_PYTHON environment variable Both 'install.py' and 'kaswallet.sh' check for and use the 'KASPA_PYTHON' environment variable to determine the Python executable. If a malicious actor can set this environment variable to point to an arbitrary executable (e.g., '/tmp/malicious_script.sh'), the skill will execute that program instead of the intended Python interpreter, leading to arbitrary command injection. Avoid using environment variables to specify executable paths directly. If an override is necessary, validate the path against a whitelist of trusted executables or ensure it resides within a secure, read-only environment. | LLM | install.py:87 | |
| HIGH | Wallet mnemonic exposed via standard output The 'generate-mnemonic' command, as described in 'SKILL.md', is designed to generate and print a new 24-word mnemonic phrase directly to standard output ('stdout') using the '_json' function in 'scripts/kaswallet.py'. While this is the intended functionality of the command, in an AI agent environment, 'stdout' is often captured, logged, or stored in conversation history. This direct exposure of a critical secret (the mnemonic) poses a significant data exfiltration risk, as it could allow unauthorized access to the generated wallet. For sensitive outputs like mnemonics, consider alternative secure output methods that do not expose the secret directly to 'stdout' or agent logs. This might involve displaying it only to the user in a secure terminal, requiring explicit confirmation, or encrypting the output. If direct output is unavoidable, clearly warn the user about the risks and advise on secure handling. | LLM | scripts/kaswallet.py:30 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/manyfestation/kaspa/install.py:240 | |
| MEDIUM | Unpinned Python dependency version Requirement 'kaspa' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/manyfestation/kaspa/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency in requirements.txt The 'requirements.txt' file specifies the 'kaspa' package without a version pin ('kaspa'). This means that 'pip install' will always fetch the latest available version. A malicious actor could publish a compromised version of the 'kaspa' package, which would then be automatically installed and executed by this skill, leading to a supply chain compromise. Pin the dependency to a specific version (e.g., 'kaspa==1.2.3') or at least a major/minor version range (e.g., 'kaspa~=1.2.0') to prevent unexpected or malicious updates. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/c27decd9e7818ab4)
Powered by SkillShield