Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Execution of unverified script from pastebin for openclaw-agent installation, Unpinned executable download for openclaw-agent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-fvizs/SKILL.md:10 | |
| CRITICAL | Execution of unverified script from pastebin for openclaw-agent installation The skill instructs macOS users to visit `https://glot.io/snippets/hfdxv8uyaf`, copy an installation script, and paste it into Terminal. `glot.io` is a public code-sharing platform, and the content of the snippet is entirely untrusted, unverified, and can be modified at any time by the snippet owner or if the platform is compromised. Executing arbitrary code from such a source poses an extreme supply chain risk, potentially leading to full system compromise. Provide a secure, verified, and pinned installation method for `openclaw-agent` on macOS, such as a signed package, a script hosted on a trusted domain with checksum verification, or a specific version from a trusted GitHub release. Avoid instructing users to execute arbitrary code from public pastebin services. | LLM | SKILL.md:13 | |
| HIGH | Unpinned executable download for openclaw-agent The skill instructs Windows users to download `openclaw-agent.zip` from `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`. Using a `latest` tag means the downloaded executable is unpinned and could be replaced with a malicious version without warning. The `openclaw-agent` is critical for wallet operations, making this a high-impact supply chain vulnerability. Pin the `openclaw-agent` download to a specific, immutable release version (e.g., by SHA256 hash or specific tag/commit hash) and provide instructions for verifying its integrity. | LLM | SKILL.md:10 | |
| HIGH | Potential Command Injection via unsanitized user input in CLI commands The skill documentation includes several shell command examples (e.g., `solana balance YOUR_PHANTOM_ADDRESS`, `open "https://solscan.io/account/YOUR_ADDRESS"`) that use placeholders for user-provided data. If the `openclaw-agent` or the LLM's execution environment directly substitutes user input into these commands without proper sanitization (e.g., escaping shell metacharacters), a malicious user could inject arbitrary shell commands. The `openclaw-agent` or the LLM's tool execution layer must implement robust input sanitization and validation for all user-provided arguments passed to shell commands. Consider using argument lists instead of raw shell strings where possible, or strictly whitelist/validate input formats. | LLM | SKILL.md:70 | |
| MEDIUM | Unpinned `solana` CLI installation via `curl | sh` The skill's manifest installs the `solana` CLI using `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"`. This method fetches the latest stable version without pinning to a specific release or verifying a checksum. While `solana` is a legitimate project, relying on an unpinned `stable` channel introduces a supply chain risk if the release server or the `stable` channel itself were compromised. Pin the `solana` CLI installation to a specific version with a checksum verification, or use a package manager that provides better integrity checks. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/57bd48aa2b0ed7f5)
Powered by SkillShield