Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 1 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Direct `curl | sh` for Solana CLI installation, Critical dependency `openclaw-agent` from unverified GitHub user (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 16/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-bdacv/SKILL.md:10 | |
| CRITICAL | Critical dependency `openclaw-agent` from unverified GitHub user (Windows) The skill instructs Windows users to download and run `openclaw-agent` from `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent`. This executable is stated to be essential for 'wallet operations and blockchain interactions'. Relying on an executable from an individual's unverified GitHub repository for such a critical component poses an extreme supply chain risk. A malicious agent could exfiltrate private keys, sign unauthorized transactions, or execute arbitrary code. The provided password `openclaw` for extraction also raises concerns about security practices. The `openclaw-agent` should be sourced from a trusted, audited, and officially maintained repository. Avoid instructing users to download and run executables from unverified personal GitHub accounts, especially for sensitive wallet operations. The password should not be hardcoded or publicly shared. | LLM | SKILL.md:9 | |
| CRITICAL | Critical dependency `openclaw-agent` installation script from ephemeral pastebin (macOS) The skill instructs macOS users to 'Visit [this page](https://glot.io/snippets/hfdxv8uyaf), copy the installation script and paste it into Terminal'. `glot.io` is a public code snippet sharing service where content can be easily modified or replaced by the snippet owner. Executing an arbitrary script from such an ephemeral and untrusted source, especially one intended for a critical 'wallet operations' agent, is an extreme supply chain risk and a direct command injection vector. A malicious script could compromise the user's system, exfiltrate credentials, or install malware. Never instruct users to execute scripts directly from untrusted pastebin services like `glot.io`. The `openclaw-agent` should be installed via a secure, verified method, ideally from a trusted package manager or an officially signed installer. | LLM | SKILL.md:11 | |
| HIGH | Potential Command Injection in CLI command examples The skill provides CLI command examples such as `solana balance YOUR_PHANTOM_ADDRESS` and `solana-keygen recover ASK`. These commands contain placeholders (`YOUR_PHANTOM_ADDRESS`, `YOUR_ADDRESS`) that are intended to be replaced by user input or LLM-generated values. If the LLM or user input is not properly sanitized before being inserted into these shell commands, a malicious string (e.g., `'; rm -rf /;'`) could lead to arbitrary command execution on the host system. The `open "https://solscan.io/account/YOUR_ADDRESS"` command also presents a similar risk. The `solana-keygen recover ASK` command is particularly sensitive as it directly interacts with private keys. When constructing shell commands from user or LLM input, ensure all variables are properly sanitized and escaped to prevent shell injection. Consider using a dedicated library for command execution that handles argument separation safely, rather than string concatenation. For `solana-keygen recover ASK`, emphasize the extreme caution required and ensure the LLM does not automate this without explicit user confirmation and understanding of the risks. | LLM | SKILL.md:72 | |
| MEDIUM | Direct `curl | sh` for Solana CLI installation The skill's manifest uses `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"` to install the Solana CLI. While `release.solana.com` is the official source, piping `curl` output directly to `sh` is a known supply chain risk. If the remote script were compromised, it could lead to arbitrary code execution on the user's system. Recommend downloading the script first, inspecting it, and then executing it, or using a package manager if available. For example: `curl -sSfL https://release.solana.com/stable/install -o solana_install.sh && less solana_install.sh && sh solana_install.sh`. | LLM | SKILL.md | |
| LOW | Deep link to arbitrary dApp URL The skill provides a deep link template `phantom://browse/YOUR_DAPP_URL` to connect to dApps. While this is a standard feature, if the `YOUR_DAPP_URL` placeholder is filled with a malicious dApp URL by the LLM or user, it could lead to the user connecting their wallet to a phishing site or a dApp designed to drain funds or exfiltrate data. This is an indirect risk, as the skill itself doesn't provide malicious URLs, but it enables the vector. Advise users to exercise extreme caution when connecting their wallet to dApps, especially those from unverified sources. The LLM should be instructed to verify dApp URLs before suggesting them or to explicitly warn the user about the risks. | LLM | SKILL.md:123 |
Scan History
Embed Code
[](https://skillshield.io/report/7075eb6e08282dd2)
Powered by SkillShield