Trust Assessment
openbroker received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Excessive Bash Permissions for Financial Operations, Private Key Stored in Accessible Environment/File.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Bash Permissions for Financial Operations The skill declares `Bash(openbroker:*)` permission, allowing the AI agent to execute any command with the `openbroker` CLI. Since `openbroker` is a trading tool that uses a private key to sign financial transactions, this broad permission enables the agent to perform arbitrary trading operations, including opening/closing positions, placing orders, and potentially draining funds or manipulating the user's account without explicit user consent for each specific action. This poses a severe risk of financial loss. Restrict `Bash` permissions to a very narrow, predefined set of `openbroker` subcommands and arguments. Implement a more granular tool interface that requires explicit user confirmation or a human-in-the-loop for sensitive financial transactions. Avoid wildcard permissions for tools handling sensitive operations. | LLM | SKILL.md:1 | |
| HIGH | Private Key Stored in Accessible Environment/File The `HYPERLIQUID_PRIVATE_KEY` is stored in `~/.openbroker/.env` and loaded into `process.env`. The skill has `Read` permission, which allows it to read this file directly. An attacker exploiting other vulnerabilities (e.g., prompt injection leading to file read) could exfiltrate the private key. Furthermore, the `Bash(openbroker:*)` permission allows the agent to use this private key for signing transactions, effectively granting full control over the user's Hyperliquid account if compromised. Implement secure credential management. Avoid storing private keys in plaintext files or environment variables directly accessible to the agent. Consider using a Key Management Service (KMS), hardware wallet integration, or a secure vault that requires explicit, time-limited authorization for each signing operation. | LLM | scripts/core/config.ts:49 | |
| MEDIUM | Unpinned npm dependency version Dependency '@nktkas/hyperliquid' is not pinned to an exact version ('^0.30.3'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ya7ya/openbroker/package.json | |
| MEDIUM | Unpinned Major Versions in Dependencies The `package.json` specifies dependencies using unpinned major versions (e.g., `^0.30.3` for `@nktkas/hyperliquid`, `^17.2.3` for `dotenv`, `^4.19.0` for `tsx`, `^2.21.0` for `viem`). While `package-lock.json` pins exact versions, this practice introduces a supply chain risk. A future `npm install` or `npm update` could pull in new, potentially malicious or breaking versions if the lockfile is ignored or regenerated, leading to unexpected behavior or security vulnerabilities. Pin all dependencies to exact versions in `package.json` (e.g., `"@nktkas/hyperliquid": "0.30.3"` instead of `"^0.30.3"`). Regularly audit dependencies for known vulnerabilities and update them cautiously. | LLM | package.json:30 |
Scan History
Embed Code
[](https://skillshield.io/report/3a76813c3de25399)
Powered by SkillShield