Trust Assessment
molt-pmxt received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Unpinned `pmxtjs` dependency in `package.json`, Potential exposure of private keys in error logs during initialization.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned npm dependency version Dependency 'pmxtjs' is not pinned to an exact version ('^2.0.7'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/realfishsam/molt-pmxt/package.json | |
| MEDIUM | Unpinned `pmxtjs` dependency in `package.json` The `pmxtjs` dependency is specified with a caret (`^`) range in `package.json`, allowing minor and patch updates. While `package-lock.json` pins the exact version, this configuration could lead to unexpected behavior or introduce vulnerabilities if a new version of `pmxtjs` contains breaking changes or malicious code, especially during initial setup or if `package-lock.json` is ignored. It is best practice to pin dependencies to exact versions for deterministic builds and enhanced security. Pin the `pmxtjs` dependency to an exact version (e.g., `"pmxtjs": "2.0.7"`) to ensure deterministic builds and prevent unintended updates. Apply this to other dependencies as well. | LLM | package.json:15 | |
| LOW | Potential exposure of private keys in error logs during initialization The `initExchanges` function logs initialization errors using `console.warn('Failed to initialize ... with auth:', e);`. If the `pmxtjs` library's error objects (`e`) contain or echo the provided `privateKey` or `apiKey` during a failed initialization, these sensitive credentials could be inadvertently written to the agent's logs. This poses a risk of credential exposure if logs are accessible. Review the error handling of `pmxtjs` to ensure sensitive data is not included in error messages. As a proactive measure, consider sanitizing the error object before logging, or log a generic message without the `e` object, e.g., `console.warn('Failed to initialize Polymarket with auth. Check environment variables.');` | LLM | src/tools.ts:17 |
Scan History
Embed Code
[](https://skillshield.io/report/fc6587bf3a282352)
Powered by SkillShield