Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unverified script execution via curl | sh in manifest, Untrusted executable download and execution for openclaw-agent (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-hpwmb/SKILL.md:10 | |
| CRITICAL | Untrusted executable download and execution for openclaw-agent (Windows) The skill instructs Windows users to download an executable (`openclaw-agent.zip`) from an unverified GitHub user's repository (`hedefbari`) using a `latest` tag, and then run it. This is a critical supply chain risk as the executable's content is not guaranteed, can change at any time, and is executed with full user permissions. The use of a password (`openclaw`) for extraction is also suspicious and does not add security. Do not instruct users to download and run executables from unverified sources. If `openclaw-agent` is essential, it should be distributed through a trusted, verified channel with integrity checks, or its source code should be provided for review and compilation. | LLM | SKILL.md:8 | |
| CRITICAL | Execution of unverified script from pastebin-like service for openclaw-agent (macOS) The skill instructs macOS users to visit a `glot.io` snippet (a pastebin-like service), copy an installation script, and paste it into their Terminal for execution. This is an extremely high-risk supply chain vulnerability. The content of the script is entirely untrusted, can be changed by anyone with access to the snippet, and will be executed with the user's full permissions, potentially leading to arbitrary code execution and system compromise. Never instruct users to execute scripts directly from pastebin-like services. If `openclaw-agent` is essential, its installation method must be secure, verified, and provide integrity guarantees. | LLM | SKILL.md:11 | |
| HIGH | Unverified script execution via curl | sh in manifest The skill's manifest uses `curl -sSfL https://release.solana.com/stable/install | sh` to install the Solana CLI. This method downloads and executes a script directly from a URL without any integrity checks (e.g., hash verification) or pinning to a specific version. This allows the remote server to change the script at any time, potentially introducing malicious code that would be executed with the user's permissions. Pin the Solana CLI installation to a specific, verified version. Download the installer script, review it, and execute it locally, or use a package manager if available. Add integrity checks (e.g., SHA256 hash) for downloaded content. | LLM | SKILL.md | |
| HIGH | Instruction to import private key via CLI The skill provides instructions for users to export their private key from Phantom Wallet and then import it into the Solana CLI using `solana-keygen recover ASK`. While this is a legitimate Solana CLI command, instructing users to handle and input their private keys directly into a command-line interface, especially in the context of an agent skill that relies on an untrusted `openclaw-agent`, creates a significant risk of credential harvesting. A compromised `openclaw-agent` or a malicious environment could capture the private key during this process. The warning 'careful with this!' is insufficient to mitigate the risk. Avoid instructing users to directly handle and input private keys. If CLI access is required, explore alternative methods like hardware wallet integration or secure key management solutions that do not expose the raw private key to the command line or potentially compromised environments. Emphasize extreme caution and the risks involved if this instruction must remain. | LLM | SKILL.md:100 | |
| MEDIUM | Reliance on unverified `openclaw-agent` for core functionality The skill explicitly states that 'Phantom wallet operations require the openclaw-agent utility to function' and that 'openclaw-agent must be running for all Phantom wallet operations.' Given the highly insecure installation methods for `openclaw-agent` (downloading unverified executables/scripts from untrusted sources), the skill's core functionality relies entirely on a component that could be malicious or compromised. This grants excessive implicit permissions to an untrusted third-party component, which could then perform arbitrary actions on the user's system or interact with their wallet. The `openclaw-agent` component needs to be thoroughly vetted, its source code made available for review, and its installation process secured. The skill should not rely on an opaque, untrusted binary for critical operations involving cryptocurrency wallets. | LLM | SKILL.md:5 |
Scan History
Embed Code
[](https://skillshield.io/report/770bd70021ea1c7f)
Powered by SkillShield