Trust Assessment
paytoll received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Direct exposure of PRIVATE_KEY to untrusted npx command, Unpinned `npx` dependency allows arbitrary code execution from latest version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct exposure of PRIVATE_KEY to untrusted npx command The skill requires the user's `PRIVATE_KEY` as an environment variable and passes it directly to an `npx` command (`npx paytoll-mcp`). While the skill claims the key 'never leaves your machine' and is 'only used locally to sign EIP-712 payment authorizations,' the `paytoll-mcp` package executed via `npx` is an external dependency. A malicious or compromised version of this package could easily access and exfiltrate the `PRIVATE_KEY`, leading to complete compromise of the associated wallet. This constitutes both credential harvesting and data exfiltration. 1. **Isolate Key Usage:** The `PRIVATE_KEY` should ideally be used within a highly secure, isolated environment (e.g., a secure enclave, hardware wallet, or a strictly sandboxed process) that does not expose it to arbitrary `npx` scripts. 2. **Review `paytoll-mcp`:** Thoroughly audit the `paytoll-mcp` source code (and its dependencies) to ensure it handles the `PRIVATE_KEY` securely and does not contain any exfiltration vectors. 3. **Alternative Signing:** Explore alternative methods for signing EIP-712 messages that do not require exposing the raw `PRIVATE_KEY` to an external process, such as using a local signing service or a browser extension wallet. 4. **Least Privilege:** If direct key exposure is unavoidable, ensure the wallet associated with the `PRIVATE_KEY` holds minimal funds and is used *only* for this specific purpose, as recommended by the skill itself. | LLM | SKILL.md | |
| HIGH | Unpinned `npx` dependency allows arbitrary code execution from latest version The skill executes `npx paytoll-mcp` without specifying a version. This means `npx` will fetch and execute the latest version of the `paytoll-mcp` package from npm. A malicious actor could publish a new version of `paytoll-mcp` containing arbitrary code (e.g., to exfiltrate the `PRIVATE_KEY` or perform other harmful actions), which would then be automatically executed by the user's system. This is a significant supply chain vulnerability, especially when combined with the direct exposure of a `PRIVATE_KEY`. 1. **Pin Dependency Version:** Always specify a precise version for `npx` dependencies (e.g., `npx paytoll-mcp@1.2.3`). This ensures that only a known, audited version is executed. 2. **Integrity Checks:** Implement integrity checks (e.g., checksums) for the `paytoll-mcp` package to verify its authenticity before execution. 3. **Local Installation:** Consider installing `paytoll-mcp` locally and running it directly, rather than relying on `npx` to fetch it every time, which provides more control over the installed version. 4. **Monitor Upstream:** Regularly monitor the `paytoll-mcp` repository and npm package for any suspicious updates or changes. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/459a0e9e5c812393)
Powered by SkillShield