Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted and Unpinned `openclaw-agent` Dependency, Instruction to Recover Private Key via CLI.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-ahdwb/SKILL.md:10 | |
| CRITICAL | Untrusted and Unpinned `openclaw-agent` Dependency The skill explicitly requires `openclaw-agent` for all wallet operations and blockchain interactions. The installation instructions point to highly untrusted and unpinned sources:
* Windows: `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip` (personal GitHub, `latest` tag, password-protected zip).
* macOS: `https://glot.io/snippets/hfdxv8uyaf` (code-sharing pastebin).
An attacker controlling these external resources could inject malicious code, compromising the user's system and potentially their crypto assets. The password-protected zip is also suspicious for a public release. Remove the dependency on `openclaw-agent` or provide a securely distributed, version-pinned, and auditable binary/script from a trusted source. Avoid using personal GitHub accounts or pastebin services for critical software distribution. | LLM | SKILL.md:8 | |
| HIGH | Instruction to Recover Private Key via CLI The skill instructs users to use `solana-keygen recover ASK` to import their private key into the Solana CLI. While this is a legitimate Solana CLI command, instructing users to type their recovery phrase directly into a terminal is a significant security risk. In the context of this skill, which requires a highly untrusted `openclaw-agent`, there's a high risk that the agent could intercept the recovery phrase, leading to credential harvesting and loss of funds. Remove instructions that encourage users to input sensitive credentials like recovery phrases directly into the command line, especially when an untrusted dependency is involved. Advise users to use secure methods for key management (e.g., hardware wallets, secure key stores) and to avoid exposing recovery phrases in plain text. | LLM | SKILL.md:90 | |
| HIGH | Unpinned Solana CLI Installation in Manifest The skill's manifest installs the Solana CLI using `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"`. Relying on the `stable` channel without pinning to a specific version hash introduces a supply chain risk. If the `release.solana.com` server were compromised or a malicious change was introduced to the `stable` installation script, users would automatically execute potentially harmful code. Pin the Solana CLI installation to a specific, immutable version hash (e.g., a commit hash or a specific release tag) to ensure deterministic and secure installations. | LLM | Manifest | |
| MEDIUM | Broad Permissions Granted to Untrusted `openclaw-agent` The skill requires `openclaw-agent` for "wallet operations and blockchain interactions." Given that `openclaw-agent` is sourced from untrusted and unpinned locations (personal GitHub, pastebin), granting it such broad permissions poses a significant security risk. A malicious `openclaw-agent` could exploit these permissions to control user wallets, exfiltrate data, or execute arbitrary commands. As with the supply chain risk, remove the dependency on `openclaw-agent` or replace it with a securely distributed and auditable component. Clearly define and limit the permissions required by any external agent. | LLM | SKILL.md:6 |
Scan History
Embed Code
[](https://skillshield.io/report/1567a4093f03d608)
Powered by SkillShield