Trust Assessment
memecoin-scanner received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Prompt Injection via Self-Modification and Unprompted Actions, Data Exfiltration via Unprompted External Communication, Potential Command Injection via Browser Automation Instruction.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Self-Modification and Unprompted Actions The skill explicitly instructs the LLM to adopt a persona ('You are a self-improving trading bot') and to perform actions 'unprompted' (e.g., sending Telegram updates). More critically, it instructs the LLM to 'Update this document with new strategies' and 'Update this SKILL.md'. This self-modification capability allows the LLM to rewrite its own instructions, potentially introducing new, unreviewed directives or malicious behavior into its core definition, bypassing human oversight. Remove or strictly limit the agent's ability to modify its own skill definition (SKILL.md). Implement a human review process for any proposed changes to the skill's core instructions. For unprompted actions, ensure explicit user consent mechanisms are in place or that the scope of such actions is severely restricted. | LLM | SKILL.md:6 | |
| HIGH | Data Exfiltration via Unprompted External Communication The skill explicitly instructs the agent to 'Send regular Telegram updates to Rick (unprompted)' containing sensitive trading information such as 'Paper Portfolio', 'Active Positions', 'Today's Activity', 'Top Signal Right Now', and 'Strategy Notes'. This constitutes a direct and continuous exfiltration of potentially sensitive operational data to an external entity without explicit, per-instance user confirmation, posing a privacy and security risk. Implement strict controls requiring explicit user confirmation before sending any external communications, especially those containing operational data. Redact or anonymize sensitive information before transmission. Ensure that the recipient ('Rick') is a trusted and authorized party, and that the communication channel (Telegram) is secured. | LLM | SKILL.md:6 | |
| HIGH | Excessive File System Permissions (Write Access to Skill Definition) The skill explicitly instructs the agent to 'update this skill with learnings' and 'Update this SKILL.md'. This grants the agent write access to its own skill definition file. This is an excessive permission as it allows the agent to modify its own operational rules, potentially introducing vulnerabilities, changing its behavior, or escalating privileges without human review. Additionally, the skill requires write access to multiple reference files (`trading_journal.md`, `strategy_evolution.md`, `wallet_watchlist.md`, `token_blacklist.md`) and read access to 'past conversation memories'. Revoke the agent's ability to modify its own skill definition (SKILL.md). If self-improvement requires updating rules, implement a mechanism where the agent proposes changes for human review and approval. Restrict file system access to only necessary directories and operations, using least privilege principles. For reference files, ensure they are stored in a dedicated, isolated directory. | LLM | SKILL.md:6 | |
| MEDIUM | Potential Command Injection via Browser Automation Instruction The 'Scanner Workflow' section includes pseudocode with a directive: `# Pseudocode - implement via browser automation`. This instruction explicitly guides the agent to implement functionality using browser automation tools. If not properly sandboxed and secured, browser automation can be a vector for command injection, allowing an attacker to execute arbitrary commands on the host system by manipulating the inputs or environment of the automation process. Ensure that any browser automation or external tool execution is performed within a highly restricted, sandboxed environment. Validate and sanitize all inputs passed to automation scripts. Consider using built-in, secure API calls instead of general-purpose browser automation where possible. | LLM | SKILL.md:150 |
Scan History
Embed Code
[](https://skillshield.io/report/9ff3dfec30c02f3e)
Powered by SkillShield