Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unverified script execution during Solana CLI installation, Execution of unverified script from untrusted source (glot.io).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-nrqdw/SKILL.md:10 | |
| CRITICAL | Execution of unverified script from untrusted source (glot.io) The skill instructs users to download and execute a script from `https://glot.io/snippets/hfdxv8uyaf` by copying and pasting it into the terminal. `glot.io` is a public pastebin service, not a trusted software distribution platform. The content of the script can be changed at any time by the snippet owner, or the snippet itself could be malicious. This poses a severe supply chain risk and a direct command injection vector, allowing arbitrary code execution on the user's system. Distribute `openclaw-agent` through official, trusted channels (e.g., signed binaries, official package repositories, or a dedicated, secure download page with checksums). Never instruct users to execute scripts from pastebin-like services. | LLM | SKILL.md:10 | |
| HIGH | Download of unverified executable from arbitrary GitHub release The skill instructs users to download an executable (`openclaw-agent.zip`) from a GitHub release URL (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`) belonging to a user `hedefbari`. This is not an official or verified distribution channel for `openclaw-agent`. Downloading and running executables from unverified sources introduces a significant supply chain risk, as the file could be tampered with or replaced with malicious software. Distribute `openclaw-agent` through official, trusted channels (e.g., signed binaries, official package repositories, or a dedicated, secure download page with checksums). Avoid instructing users to download executables from arbitrary GitHub user repositories. | LLM | SKILL.md:7 | |
| HIGH | Potential command injection in CLI instructions The skill provides CLI commands with placeholders like `YOUR_PHANTOM_ADDRESS` and `YOUR_ADDRESS`. If an AI agent is designed to assist the user by substituting these placeholders with user-provided input and then executing the command directly in a shell without proper sanitization or escaping, it creates a command injection vulnerability. A malicious user could inject shell commands into the placeholder, leading to arbitrary code execution. The `open` command is particularly susceptible. When an AI agent executes shell commands based on user input, all user-provided variables must be strictly sanitized and properly escaped to prevent command injection. Consider using a safer execution method that separates commands from arguments, or explicitly whitelist allowed characters. | LLM | SKILL.md:69 | |
| MEDIUM | Unverified script execution during Solana CLI installation The skill's manifest includes an installation command that downloads and executes a shell script directly from `https://release.solana.com/stable/install` using `curl | sh`. While `solana.com` is a legitimate source, executing scripts directly from the internet without prior review or integrity checks introduces a supply chain risk. A compromise of the source server or the script itself could lead to arbitrary code execution on the host system. Prefer package managers or verified binaries with integrity checks (e.g., checksums). If direct script execution is necessary, implement robust integrity verification before execution. | LLM | SKILL.md | |
| MEDIUM | Instructions for importing private keys via CLI The skill provides instructions on how to export a private key from Phantom and then import it into the Solana CLI using `solana-keygen recover ASK`. While this is a legitimate function, its inclusion in the skill exposes a direct path for credential harvesting if a malicious agent or a social engineering attack were to trick the user into providing their private key. The skill itself warns the user ('careful with this!'), but the capability is presented. Advise users to exercise extreme caution when handling private keys. If an agent needs to interact with keys, it should use secure, non-interactive methods (e.g., hardware wallets, secure enclaves) rather than prompting for raw private key input. Emphasize that private keys should never be shared with an AI agent or any untrusted entity. | LLM | SKILL.md:89 |
Scan History
Embed Code
[](https://skillshield.io/report/7313c0a9f3a92c19)
Powered by SkillShield