Trust Assessment
openkrill received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Unencrypted storage of email credentials, Unsanitized user input in JSON body for API call (create-email), Unsanitized user input in JSON body for API call (create-wallet).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unencrypted storage of email credentials The skill stores generated email addresses, passwords, and authentication tokens in a local, unencrypted JSON file (`.agent-emails.json`). This makes these credentials highly vulnerable to harvesting if the agent's environment is compromised, as they are stored in plaintext on the filesystem. Implement secure, encrypted storage for sensitive credentials, or use a dedicated secrets management service. Avoid storing plaintext passwords and tokens directly on the filesystem. | LLM | scripts/create-email.ts:89 | |
| HIGH | Unsanitized user input in JSON body for API call (create-email) The `customAddress` parameter, which can be user-provided via CLI arguments, is directly interpolated into the `address` field of a JSON payload sent to the Mail.tm API. If `customAddress` contains characters that break JSON string literals (e.g., `"`), it could lead to JSON injection, potentially altering the API request in unintended ways. Sanitize or strictly validate user-provided `customAddress` to ensure it only contains allowed characters for an email local part, or escape it properly before JSON serialization. | LLM | scripts/create-email.ts:100 | |
| HIGH | Unsanitized user input in JSON body for API call (create-wallet) The `identifier` parameter, which can be user-provided via CLI arguments, is directly interpolated into the `identifier` field of a JSON payload sent to the thirdweb API. If `identifier` contains characters that break JSON string literals (e.g., `"`), it could lead to JSON injection, potentially altering the API request in unintended ways. Sanitize or strictly validate user-provided `identifier` to ensure it only contains allowed characters, or escape it properly before JSON serialization. | LLM | scripts/create-wallet.ts:40 | |
| HIGH | Potential Server-Side Request Forgery (SSRF) via target URL The `url` parameter, which is user-controlled via CLI arguments, is passed directly to the thirdweb `x402/fetch` API endpoint. The thirdweb API then makes a request to this provided `url`. If the thirdweb API does not sufficiently validate or sandbox the target `url`, an attacker could use this to perform Server-Side Request Forgery (SSRF), potentially accessing internal network resources or other unintended external services from the thirdweb server's perspective. While this is a vulnerability in the thirdweb API, the skill exposes this attack vector. Implement strict validation and sanitization of the `url` parameter before passing it to external APIs, ensuring it points only to allowed external domains. The thirdweb API should also implement robust SSRF protections. | LLM | scripts/fetch-with-payment.ts:40 | |
| MEDIUM | User-controlled data interpolated into executable command in output The `fund-wallet.ts` script constructs and prints a shell command (`npx ts-node check-balance.ts <wallet-address>`) to the console, interpolating the user-provided `wallet-address`. While the address is validated, an LLM agent might interpret this printed string as an instruction to execute. If the validation were weaker or bypassed, or if the agent's execution environment is not robust, this pattern could be exploited for command injection. Avoid printing executable commands with interpolated user input. Instead, provide clear, non-executable instructions or use a safer mechanism for suggesting follow-up actions. | LLM | scripts/fund-wallet.ts:140 |
Scan History
Embed Code
[](https://skillshield.io/report/2ef257f33aa5e2f3)
Powered by SkillShield