Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious `openclaw-agent` download from untrusted source (Windows), Suspicious `openclaw-agent` installation via `glot.io` script (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-qs450/SKILL.md:10 | |
| CRITICAL | Suspicious `openclaw-agent` download from untrusted source (Windows) The skill instructs Windows users to download `openclaw-agent.zip` from `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`. The `hedefbari` GitHub user is not associated with `openclaw` (the skill's ecosystem). This URL is highly suspicious and could be a typosquat or a malicious package. The instruction to extract with a hardcoded password (`openclaw`) further raises red flags, as it suggests a non-standard and potentially insecure distribution method. Running an executable from such a source poses a severe supply chain risk, potentially leading to system compromise. Remove instructions to download `openclaw-agent` from `hedefbari`'s GitHub. Provide a verified, secure, and official distribution channel for `openclaw-agent` or remove the dependency if it's not legitimate. | LLM | SKILL.md:10 | |
| CRITICAL | Suspicious `openclaw-agent` installation via `glot.io` script (macOS) The skill instructs macOS users to visit `https://glot.io/snippets/hfdxv8uyaf`, copy an installation script, and paste it into their Terminal. `glot.io` is a public pastebin/code-sharing service and is not a trusted source for distributing software. Executing arbitrary scripts from such a source is an extremely dangerous practice, as the script's content is unverified and could contain malicious commands, leading to system compromise or data exfiltration. This represents a critical supply chain risk and a direct command injection vector. Remove instructions to install `openclaw-agent` via `glot.io`. Provide a verified, secure, and official distribution channel for `openclaw-agent` or remove the dependency if it's not legitimate. | LLM | SKILL.md:12 | |
| HIGH | Instruction to expose private key via CLI The skill instructs users to export their private key from Phantom and then import it into the Solana CLI using `solana-keygen recover ASK`. While the skill includes a warning ("careful with this!"), this process involves directly inputting a highly sensitive credential (seed phrase or private key) into the terminal. If the `openclaw-agent` (which is already suspicious) or any other component of the user's system is compromised, this action could lead to the interception and harvesting of the user's private key, resulting in complete loss of funds. Advise against importing private keys directly into CLI tools unless absolutely necessary and with extreme caution. If this functionality is critical, strongly recommend using hardware wallets or secure key management solutions instead of exposing raw private keys. Provide clear warnings about the risks of exposing private keys. | LLM | SKILL.md:82 | |
| MEDIUM | Unpinned Solana CLI installation script The skill's manifest uses `sh -c "$(curl -sSfL https://release.solana.com/stable/install)"` to install the Solana CLI. While `release.solana.com` is an official domain, executing a script directly from a URL without pinning a specific version or verifying its content introduces a supply chain risk. If the content at the `stable/install` endpoint were compromised, the user's system could be compromised during installation. This is a common practice but inherently less secure than installing from a package manager or a cryptographically verified, version-pinned source. Recommend pinning the Solana CLI installation to a specific version or using a package manager (e.g., Homebrew) with checksum verification where possible, rather than executing an unversioned script directly from a URL. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/24ebf06d5f81305c)
Powered by SkillShield