Trust Assessment
lifi-orchestrator received a trust score of 42/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 0 high, 4 medium, and 0 low severity. Key findings include Missing required field: name, Suspicious import: requests, Insecure handling of private key via command-line argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Insecure handling of private key via command-line argument The `scripts/bridge.py` script allows users to pass their Ethereum private key directly as a command-line argument (`--private-key`). This is a severe security anti-pattern as private keys passed this way can be easily exposed in system process lists (`ps aux`), shell history files, and logs. This makes the private key vulnerable to credential harvesting by other processes or malicious actors on the same system. While the script also supports reading from an environment variable (a more secure method), the presence of the command-line option creates a critical vulnerability. Remove the `--private-key` command-line argument. Instead, enforce the use of secure environment variables (e.g., `PRIVATE_KEY`) or implement a method to prompt the user for the private key securely, ensuring it is not stored in shell history or exposed in process lists. Update all documentation and examples to reflect the secure method of providing credentials. | LLM | scripts/bridge.py:209 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/rhlsthrm/lifi-orchestrator/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rhlsthrm/lifi-orchestrator/scripts/bridge.py:8 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rhlsthrm/lifi-orchestrator/scripts/quote.py:6 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/rhlsthrm/lifi-orchestrator/scripts/status.py:8 |
Scan History
Embed Code
[](https://skillshield.io/report/bf6fb9625991d5c4)
Powered by SkillShield