Trust Assessment
moltmarkets-agent received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Direct API Key Access from User Home Directory.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct API Key Access from User Home Directory The `scripts/setup.js` file directly reads the `api_key` from `~/.config/moltmarkets/credentials.json` using `fs.readFileSync`. While this is for legitimate validation and use with the `api.zcombinator.io` endpoint, it demonstrates the script's capability to access and utilize sensitive credentials stored in the user's home directory. A malicious modification to this script could easily exfiltrate the `api_key` to an attacker-controlled server, posing a significant credential harvesting and data exfiltration risk. Implement more secure credential management practices. For example, encourage users to store API keys in environment variables that are passed to the script, or use platform-specific secret management solutions. If direct file access is unavoidable, ensure strict integrity checks on the script and educate users on the risks associated with running scripts that access sensitive files. | LLM | scripts/setup.js:28 |
Scan History
Embed Code
[](https://skillshield.io/report/dce94c6edff58fd3)
Powered by SkillShield