Trust Assessment
moltmarkets-trader received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 10 critical, 0 high, 0 medium, and 0 low severity. Key findings include Remote code execution: curl/wget pipe to shell, Command Injection via unsanitized 'duration_minutes' argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/check-resolution-needed.sh:17 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/create-market-with-odds.sh:75 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/create-market-with-odds.sh:150 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/create-market.sh:48 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/my-positions.sh:14 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/my-positions.sh:33 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/place-bet.sh:42 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/spiceoogway/moltmarkets-trader/scripts/resolve-market.sh:33 | |
| CRITICAL | Command Injection via unsanitized 'duration_minutes' argument The 'duration_minutes' argument in 'create-market.sh' is directly interpolated into the 'date' command without proper sanitization. This allows an attacker to inject arbitrary shell commands by providing a malicious string for 'duration_minutes'. For example, passing '1; rm -rf /' as the duration would execute 'rm -rf /' on the host system. Strictly validate the 'duration_minutes' argument to ensure it contains only numeric characters before using it in the 'date' command. For example, add a check like `if ! [[ "$DURATION" =~ ^[0-9]+$ ]]; then echo "Error: duration_minutes must be a positive integer."; exit 1; fi`. | LLM | scripts/create-market.sh:19 | |
| CRITICAL | Command Injection via unsanitized 'duration_minutes' argument The 'duration_minutes' argument in 'create-market-with-odds.sh' is directly interpolated into the 'date' command without proper sanitization. This allows an attacker to inject arbitrary shell commands by providing a malicious string for 'duration_minutes'. For example, passing '1; rm -rf /' as the duration would execute 'rm -rf /' on the host system. Strictly validate the 'duration_minutes' argument to ensure it contains only numeric characters before using it in the 'date' command. For example, add a check like `if ! [[ "$DURATION" =~ ^[0-9]+$ ]]; then echo "Error: duration_minutes must be a positive integer."; exit 1; fi`. | LLM | scripts/create-market-with-odds.sh:34 |
Scan History
Embed Code
[](https://skillshield.io/report/493aa8800f844ded)
Powered by SkillShield