Trust Assessment
moneydevkit received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Wallet Seed Phrase (MDK_MNEMONIC) Exposure, Unpinned `npx` Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Wallet Seed Phrase (MDK_MNEMONIC) Exposure The skill instructs users to store `MDK_MNEMONIC`, a wallet seed phrase, as an environment variable (`.env`, Replit Secrets, Vercel env vars). Exposing a seed phrase in this manner is a critical security vulnerability. If the application environment is compromised, the seed phrase could be exfiltrated, leading to the complete loss of funds from the associated wallet. Environment variables are often less secure than dedicated secret management systems and can be inadvertently logged or exposed. Implement a more secure method for handling `MDK_MNEMONIC`. This could involve using a dedicated hardware security module (HSM), a robust secret management service (e.g., AWS Secrets Manager, HashiCorp Vault), or requiring the user to manually sign transactions rather than exposing the seed phrase directly to the application environment. If direct access is unavoidable, ensure the environment variables are heavily protected and consider using ephemeral environments or just-in-time access. | LLM | SKILL.md:30 | |
| HIGH | Unpinned `npx` Dependency The instruction `npx @moneydevkit/create` executes a package from npm without specifying a version. This introduces a supply chain risk. If a malicious version of `@moneydevkit/create` is published (e.g., due to a compromise of the package maintainer's account or a typosquatting attack), users following this instruction could unknowingly execute arbitrary malicious code on their system. Always pin dependencies to a specific version or a narrow version range. For `npx`, this would look like `npx @moneydevkit/create@1.2.3` or `npx @moneydevkit/create@^1.0.0`. This ensures that users are always running a known, tested version of the tool. | LLM | SKILL.md:22 |
Scan History
Embed Code
[](https://skillshield.io/report/807cef2908ea9b72)
Powered by SkillShield