Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned Remote Script Execution for Solana CLI, Untrusted Script Execution Instruction for openclaw-agent (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-pvber/SKILL.md:10 | |
| CRITICAL | Untrusted Script Execution Instruction for openclaw-agent (macOS) The skill instructs macOS users to visit a `glot.io` (a pastebin-like service) URL, copy an installation script, and paste it into their Terminal. This is an extremely high-risk operation. `glot.io` is not a trusted software distribution platform, and the script's content is unverified, unpinned, and could be malicious or compromised. Instructing users to execute arbitrary code from such a source directly exposes them to arbitrary code execution and severe system compromise. Provide a secure, verified, and version-pinned installation method for `openclaw-agent`, preferably from a trusted package manager, a signed binary distribution, or a dedicated, secure download server. Do not instruct users to execute unverified scripts from pastebin services. | LLM | SKILL.md:10 | |
| HIGH | Unpinned Remote Script Execution for Solana CLI The skill's installation command for the Solana CLI directly pipes the output of `curl` from a remote URL (`https://release.solana.com/stable/install`) to `sh`. This executes arbitrary code from an external source without version pinning or cryptographic verification. A compromise of the `release.solana.com` domain or the hosted script could lead to arbitrary code execution on the host system, posing a significant supply chain risk and potential command injection vulnerability. Pin the installation script to a specific version or cryptographic hash. Download and inspect the script before execution. Avoid directly piping `curl | sh` from unverified or unpinned sources. | LLM | Manifest | |
| HIGH | Unpinned Executable Download and Weak Password for openclaw-agent (Windows) The skill instructs Windows users to download an executable from a 'latest' GitHub release URL (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent`). Downloading executables without version pinning or cryptographic verification introduces a significant supply chain risk, as the 'latest' tag can change, potentially delivering a malicious binary. Additionally, the hardcoded password `openclaw` for extracting the executable is weak and publicly exposed, making it easily guessable and reducing the security of the archive. Provide a version-pinned download link with a cryptographic hash (e.g., SHA256) for verification. Avoid hardcoding weak or publicly known passwords for archives. Consider using a trusted package manager or a more secure distribution method. | LLM | SKILL.md:8 | |
| MEDIUM | Potential Command Injection via Unsanitized CLI Placeholders Several CLI commands provided in the skill (e.g., `solana balance`, `spl-token accounts`, `solana transaction-history`) use placeholders like `YOUR_PHANTOM_ADDRESS` or `YOUR_ADDRESS`. If these placeholders are filled by an LLM or user input without proper sanitization (e.g., quoting), a malicious input could inject arbitrary shell commands. For example, `YOUR_ADDRESS` could be crafted as `'; rm -rf /'` to execute a destructive command on the host system. When constructing shell commands with user or LLM-provided input, ensure all variables are properly quoted or escaped to prevent command injection. Use functions like `shlex.quote()` in Python or similar mechanisms in other languages/frameworks. | LLM | SKILL.md:66 | |
| MEDIUM | Instruction for Private Key Export and Import The skill explicitly describes how to export a private key from Phantom Wallet and import it into the Solana CLI using `solana-keygen recover ASK`. While the skill itself doesn't perform the action, it provides instructions for a highly sensitive operation. If a user is tricked or careless in following these instructions, it could lead to the compromise of their private keys, enabling unauthorized access to their cryptocurrency assets. The 'careful with this!' warning acknowledges the risk but does not mitigate the inherent danger of exposing such instructions. Strongly advise users against exporting private keys unless absolutely necessary and only into secure, offline environments. Emphasize the extreme risks involved. If the skill intends to automate or facilitate such operations, it must implement robust security measures for key handling, such as secure enclaves or hardware security modules, and provide clear warnings about the irreversible consequences of mishandling private keys. | LLM | SKILL.md:82 |
Scan History
Embed Code
[](https://skillshield.io/report/cf97ab6655ee6477)
Powered by SkillShield