Trust Assessment
moltmarkets-agent received a trust score of 97/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 0 medium, and 1 low severity. Key findings include API Key Transmitted to External Service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| LOW | API Key Transmitted to External Service The `scripts/setup.js` file reads the MoltMarkets API key from `~/.config/moltmarkets/credentials.json` and includes it in the Authorization header of an HTTPS request to `api.zcombinator.io/molt/me`. While this is likely intended for credential validation, it means a sensitive API key is transmitted over the network to an external service. The security of the API key relies entirely on the trustworthiness and security of the `api.zcombinator.io` endpoint. If this endpoint is compromised or not the legitimate MoltMarkets API, the API key could be exposed. Verify the authenticity and security of the `api.zcombinator.io` endpoint. Ensure that the API key has the minimum necessary permissions (e.g., read-only for validation). Consider using more secure methods for credential storage and access, such as environment variables or a dedicated secrets manager, especially for production deployments. | LLM | scripts/setup.js:30 |
Scan History
Embed Code
[](https://skillshield.io/report/3949adb6df16b687)
Powered by SkillShield