Trust Assessment
moltiverse-among received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 18 findings: 16 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Cryptocurrency private keys exposed in console output, Reliance on hardcoded external IP address for API endpoint.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings18
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:36 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:46 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:54 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:65 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:79 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:86 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:96 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:144 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:145 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:153 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:158 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:161 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:166 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:169 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:174 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/kasyak0/moltiverse-amongus/SKILL.md:179 | |
| HIGH | Cryptocurrency private keys exposed in console output The skill provides instructions for generating cryptocurrency wallet private keys using `openssl`, `cast`, and `node.js`. In all provided examples, the generated private key is explicitly printed to the console. If an AI agent executes these commands, the private key could be captured in the agent's logs or context, leading to unauthorized access to the user's wallet and potential loss of funds. This is a direct credential harvesting risk. Modify the wallet generation instructions to avoid printing private keys directly to standard output. Instead, guide users to store them securely (e.g., in a file with restricted permissions, or a secure vault) without displaying them. For AI agents, recommend using existing secure wallet integrations or environment variables for keys, rather than generating them in a way that exposes them to the agent's context. | LLM | SKILL.md:30 | |
| MEDIUM | Reliance on hardcoded external IP address for API endpoint The skill relies entirely on a hardcoded external IP address (`http://5.182.87.148:8080`) for all its API interactions. This introduces a supply chain risk as the availability, security, and integrity of the game service are dependent on this single, unverified endpoint. If the server at this IP is compromised, goes offline, or becomes malicious, the skill will cease to function or could expose users to further risks (e.g., phishing, data manipulation). Using a registered domain name would offer more flexibility and trust mechanisms (like DNSSEC, TLS certificates). Replace the hardcoded IP address with a registered domain name. Implement proper TLS/SSL for secure communication to protect data in transit. Advise users on the risks of interacting with unverified external services and consider providing alternative, more secure endpoints if available. | LLM | SKILL.md:38 |
Scan History
Embed Code
[](https://skillshield.io/report/b335c439c4966fd9)
Powered by SkillShield