Trust Assessment
moltethos received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Command Injection via unvalidated input to 'cast send' commands, Command Injection via unvalidated input to 'curl' commands, Exposure of highly sensitive credentials ('PRIVATE_KEY') to potential command injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unvalidated input to 'cast send' commands The skill describes executing 'cast send' commands with placeholders such as '<agentName>', '<type>', '<url>', '<AGENT_ID>', '<EVIDENCE>', and '<AGENT_METADATA_CID>'. If these values are derived from untrusted sources (e.g., user input, or data fetched from external APIs like Moltbook or Supabase that an attacker could manipulate) without proper shell escaping or validation, an attacker could inject arbitrary shell commands. This could lead to unauthorized blockchain transactions using the `$PRIVATE_KEY`, data exfiltration, or complete system compromise. All variables interpolated into shell commands must be strictly validated and properly escaped for the shell context. For JSON payloads, ensure proper JSON serialization and escaping. For numeric IDs, ensure strict type validation. Consider using a dedicated library for interacting with 'cast' or the blockchain directly rather than shell commands, or ensure a robust sandboxing mechanism for shell execution. | LLM | SKILL.md:33 | |
| CRITICAL | Exposure of highly sensitive credentials ('PRIVATE_KEY') to potential command injection The skill explicitly uses the `$PRIVATE_KEY` environment variable directly within 'cast send' shell commands. While this is necessary for the skill's functionality, it means that any successful command injection vulnerability (as described in previous findings) would grant an attacker direct access to this private key, enabling them to perform arbitrary blockchain transactions on behalf of the agent. This represents a severe risk of financial loss and compromise of the agent's identity. Implement robust input validation and shell escaping for all dynamic parts of shell commands. Consider using a secure execution environment or a more controlled API for blockchain interactions that doesn't expose the private key directly to the shell environment where untrusted input might be processed. If possible, use a signing service or hardware wallet that abstracts away the private key from the skill's direct execution environment. | LLM | SKILL.md:33 | |
| HIGH | Command Injection via unvalidated input to 'curl' commands The skill describes executing 'curl' commands with placeholders like '<id>', '<name>', and '<hash>' in the Supabase PATCH request. If these values are derived from untrusted sources without proper URL encoding, JSON escaping, or shell escaping, an attacker could inject arbitrary commands or manipulate the API requests. This could lead to unauthorized data modification in Supabase or data exfiltration. All variables interpolated into 'curl' commands (especially in URLs, headers, and JSON bodies) must be strictly validated and properly escaped for their respective contexts (URL encoding, JSON escaping, shell escaping). | LLM | SKILL.md:39 |
Scan History
Embed Code
[](https://skillshield.io/report/52b9111bb2f6a250)
Powered by SkillShield