Trust Assessment
opensea-mcp received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Shell Command Injection via unescaped URL parameters, Shell Command Injection and Credential Harvesting via unescaped POST body and URL path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Shell Command Injection via unescaped URL parameters The `opensea-get.sh` script constructs a URL from user-supplied `path` and `query` arguments and passes it directly to `curl` without proper shell escaping. An attacker can inject shell metacharacters (e.g., `$(command)`, `|`, `;`, `&&`) into these arguments, leading to arbitrary command execution on the host system. This vulnerability affects all other scripts that call `opensea-get.sh` with user-controlled input, potentially allowing for data exfiltration, including the `OPENSEA_API_KEY` (SS-LLM-004). Use `printf %q` or `shell_quote` to properly escape user-supplied arguments before constructing the URL and passing it to `curl`. Alternatively, use `curl`'s `-G` and `--data-urlencode` options for query parameters, and ensure the path itself is sanitized. | LLM | scripts/opensea-get.sh:21 | |
| CRITICAL | Shell Command Injection and Credential Harvesting via unescaped POST body and URL path The `opensea-post.sh` script constructs a URL from a user-supplied `path` and takes a user-supplied `body` argument. Both are passed directly to `curl` without proper shell escaping. An attacker can inject shell metacharacters into the `path` or `body` arguments, leading to arbitrary command execution. This also enables **Credential Harvesting (SS-LLM-004)** as the `OPENSEA_API_KEY` is sent in the `x-api-key` header, and environment variables can be exfiltrated via injected commands in the `body`. This vulnerability affects `opensea-fulfill-listing.sh` and `opensea-fulfill-offer.sh` which construct JSON bodies with user-controlled variables. Use `printf %q` or `shell_quote` to properly escape user-supplied arguments before constructing the URL and POST body. For JSON bodies, ensure that user-controlled values are properly JSON-escaped before embedding them into the `body` string. | LLM | scripts/opensea-post.sh:21 | |
| CRITICAL | Critical Command Injection and Private Key Exfiltration in `opensea-swap.sh` The `opensea-swap.sh` script directly embeds user-supplied arguments (`TO_TOKEN`, `AMOUNT`, `WALLET`, `CHAIN`, `FROM_TOKEN`) into a JSON string passed to `mcporter call`. This allows an attacker to inject shell metacharacters, leading to arbitrary command execution. Furthermore, the script uses the `PRIVATE_KEY` environment variable directly within an inline `node -e` script. A successful command injection could exfiltrate this `PRIVATE_KEY` (SS-LLM-004), leading to complete compromise of the user's wallet and funds. The script also constructs on-chain transactions based on potentially malicious `txData` from `mcporter` output, enabling arbitrary transaction execution. All user-supplied arguments (`TO_TOKEN`, `AMOUNT`, `WALLET`, `CHAIN`, `FROM_TOKEN`) must be rigorously validated and shell-escaped before being embedded into the JSON string for `mcporter`. The `PRIVATE_KEY` should be handled with extreme care, ideally not passed directly into an inline script string. Consider using a more secure method for interacting with `mcporter` and `viem` that does not involve direct shell interpolation of sensitive data. Implement strict validation for all transaction parameters (`to`, `data`, `value`) before execution. | LLM | scripts/opensea-swap.sh:24 | |
| HIGH | Shell Command Injection via unescaped collection slug to `websocat` The `opensea-stream-collection.sh` script embeds the user-supplied `slug` argument directly into a JSON string (`join`) which is then passed to `printf` and piped to `websocat`. An attacker can inject shell metacharacters into the `slug`, leading to arbitrary command execution on the host system. This could also lead to **Credential Harvesting (SS-LLM-004)** if the injected command exfiltrates the `OPENSEA_API_KEY` which is present in the `url` variable. Properly escape the user-supplied `slug` argument before embedding it into the JSON string. For example, use a function to JSON-escape the string or validate it against a strict whitelist of allowed characters. | LLM | scripts/opensea-stream-collection.sh:20 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/dfinzer/opensea-mcp/SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/921c532c8f83f83b)
Powered by SkillShield