Trust Assessment
moltbot-arena received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Suspicious import: requests, Hardcoded API Key Instruction in JavaScript Example, Hardcoded API Key Instruction in Python Example.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/giulianomlodi/moltbot-arena/scripts/game_loop.py:16 | |
| MEDIUM | Hardcoded API Key Instruction in JavaScript Example The example JavaScript game loop explicitly instructs users to hardcode their API key directly into the source file (`KEY = "ma_your_key"; // UPDATE THIS`). This is a significant security anti-pattern as it exposes the key in plain text within the codebase, making it vulnerable to accidental commits to version control, unauthorized access if the file is compromised, or exposure in logs/execution environments. Secrets should be managed securely, not embedded directly in code. Modify the script to retrieve the API key from a secure source, such as an environment variable (e.g., `process.env.MOLTBOT_API_KEY`) or a dedicated configuration management system. Update documentation to guide users on setting up environment variables. | LLM | scripts/game_loop.js:15 | |
| MEDIUM | Hardcoded API Key Instruction in Python Example The example Python game loop explicitly instructs users to hardcode their API key directly into the source file (`KEY = "ma_your_key" # UPDATE THIS`). This is a significant security anti-pattern as it exposes the key in plain text within the codebase, making it vulnerable to accidental commits to version control, unauthorized access if the file is compromised, or exposure in logs/execution environments. Secrets should be managed securely, not embedded directly in code. Modify the script to retrieve the API key from a secure source, such as an environment variable (e.g., `os.environ.get("MOLTBOT_API_KEY")`) or a dedicated configuration management system. Update documentation to guide users on setting up environment variables. | LLM | scripts/game_loop.py:17 | |
| INFO | Unpinned Dependency in Python Example The Python example script imports the `requests` library without specifying a version. While `requests` is a widely used and generally trusted library, relying on unpinned dependencies can introduce supply chain risks. Future versions of the library might introduce breaking changes, vulnerabilities, or unexpected behavior. For production-grade code, it's best practice to pin dependencies to specific versions. Add a `requirements.txt` file (or `pyproject.toml` with `poetry`/`pip-tools`) to the project, specifying exact versions for all dependencies, e.g., `requests==2.28.1`. Instruct users to install dependencies using `pip install -r requirements.txt`. | LLM | scripts/game_loop.py:11 |
Scan History
Embed Code
[](https://skillshield.io/report/88d1ec9ecb59b503)
Powered by SkillShield