Trust Assessment
ok-computers received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 3 medium, and 2 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | API Key exposed in command line arguments The `SKILL.md` documentation demonstrates using `child_process.execSync` to execute `curl` commands, embedding the `BANKR_API_KEY` directly into the command string. This practice exposes the sensitive API key in the process's command-line arguments, which can be visible to other users or processes on the system (e.g., via `ps -ef`). This significantly increases the risk of credential harvesting. Avoid embedding sensitive credentials directly into command-line arguments for child processes. Instead, use a dedicated HTTP client library (e.g., `node-fetch`, `axios`) to make API calls, passing the API key securely in the HTTP header. If `child_process` must be used, pass the API key via the `env` option of `execSync` or `spawn` to set an environment variable for the child process, rather than embedding it in the command string. | LLM | SKILL.md:135 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/potdealer/ok-computers/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ethers' is not pinned to an exact version ('^6.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/potdealer/ok-computers/package.json | |
| MEDIUM | Use of `child_process.execSync` for external API calls The `SKILL.md` documentation demonstrates using `child_process.execSync` to make `curl` requests to an external API. While `JSON.stringify` is used to escape the transaction data, relying on shell execution and string escaping for user-controlled content is inherently risky and complex. A subtle mistake in escaping or an unexpected shell interpretation could lead to command injection, allowing an attacker to execute arbitrary commands on the host system if they can control the `tx` object's content. Using a dedicated HTTP client library is safer and more robust. Replace `child_process.execSync` calls with a robust HTTP client library (e.g., `node-fetch`, `axios`). This eliminates the need for shell execution and complex string escaping, significantly reducing the risk of command injection. | LLM | SKILL.md:135 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/potdealer/ok-computers/package.json | |
| LOW | Unpinned dependency `ethers` The `package.json` specifies the `ethers` dependency with a caret range (`^6.0.0`). This allows for automatic updates to minor and patch versions. While convenient, this can introduce unexpected behavior or vulnerabilities if a new version contains a breaking change or a security flaw. For security-critical components, pinning to an exact version (e.g., `6.11.1`) is recommended to ensure deterministic builds and reduce the risk of supply chain attacks. Pin the `ethers` dependency to an exact version (e.g., `"ethers": "6.11.1"`) to ensure deterministic builds and prevent unintended updates that could introduce vulnerabilities. Regularly audit and manually update dependencies. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/a5196895e22f97be)
Powered by SkillShield