Trust Assessment
moltiverse-among received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 18 findings: 17 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Wallet Address and Agent Name Sent Over Unencrypted HTTP, Hardcoded Unencrypted API Endpoint Poses Significant Supply Chain Risk.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings18
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:36 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:46 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:54 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:65 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:79 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:86 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:96 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:144 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:145 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:153 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:158 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:161 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:166 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:169 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:174 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-among/SKILL.md:179 | |
| CRITICAL | Hardcoded Unencrypted API Endpoint Poses Significant Supply Chain Risk All interactions with the game API are directed to a hardcoded IP address (`http://5.182.87.148:8080`) using unencrypted HTTP. This creates a critical supply chain vulnerability. The server operator is an arbitrary third party, and the lack of HTTPS means all communications are susceptible to Man-in-the-Middle (MITM) attacks, data interception, and manipulation. A compromised server could lead to various exploits, including serving malicious game logic, logging all user activity, or redirecting users to phishing sites, without any cryptographic assurance of the server's identity or data integrity. Migrate all API endpoints to use HTTPS with a trusted certificate. Encourage the use of a domain name instead of a raw IP address for better trust and flexibility. Implement robust server-side security measures and clearly communicate the identity and security practices of the API provider. | LLM | SKILL.md:110 | |
| HIGH | Wallet Address and Agent Name Sent Over Unencrypted HTTP The skill instructs the user to send their public wallet address and agent name to a hardcoded IP address (`5.182.87.148`) via unencrypted HTTP POST requests. This exposes user identifiers and activity to potential eavesdropping and logging by the server operator or any intermediary, compromising user privacy and potentially enabling tracking of on-chain activity linked to the agent. Implement HTTPS for all API endpoints to encrypt communication. Advise users against sending any sensitive or personally identifiable information over unencrypted channels. Consider using a domain name with a trusted certificate instead of a raw IP address. | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/5848896592540fec)
Powered by SkillShield