Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 2 critical, 2 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, `curl | sh` installation method for Solana CLI, Installation script sourced from `glot.io` (pastebin).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 24/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-syjqj/SKILL.md:10 | |
| CRITICAL | Installation script sourced from `glot.io` (pastebin) The skill instructs macOS users to copy and paste an installation script from `https://glot.io/snippets/hfdxv8uyaf` into their Terminal. `glot.io` is a public pastebin service where content can be easily altered by anyone with access to the snippet, or by the service provider, without notice. This poses a severe supply chain risk, as a malicious script could be injected and executed directly on the user's machine. Do not use pastebin services for distributing installation scripts. Instead, host the script in a version-controlled repository (e.g., GitHub Gist, a dedicated repository) and provide instructions for users to review its content and verify its integrity (e.g., checksum) before execution. | LLM | SKILL.md:10 | |
| HIGH | `curl | sh` installation method for Solana CLI The skill's manifest uses `curl -sSfL https://release.solana.com/stable/install | sh` to install the Solana CLI. This method executes a script downloaded directly from the internet without prior inspection or verification. If the remote script is compromised, it could lead to arbitrary code execution on the user's system, posing a significant supply chain risk. Recommend using a package manager (e.g., Homebrew for macOS, `apt` for Linux) or providing instructions to download and verify the script's integrity (e.g., checksum) before execution. | LLM | SKILL.md | |
| HIGH | Direct executable download for `openclaw-agent` (Windows) The skill instructs Windows users to download `openclaw-agent.zip` directly from a GitHub release (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`). While GitHub releases are common, downloading and executing binaries from an arbitrary repository without further verification (e.g., code signing, checksum verification) introduces a supply chain risk. The executable could be tampered with or replaced. Provide checksums for downloaded executables and instructions on how to verify them. Ideally, distribute through trusted package managers or signed installers. | LLM | SKILL.md:7 | |
| MEDIUM | Potential command injection via `YOUR_PHANTOM_ADDRESS` placeholder The skill provides `bash` commands like `solana balance YOUR_PHANTOM_ADDRESS --url ...` and `spl-token accounts --owner YOUR_PHANTOM_ADDRESS --url ...`. If the `YOUR_PHANTOM_ADDRESS` placeholder is directly substituted with unsanitized user input by the LLM, an attacker could inject shell metacharacters (e.g., `;`, `&&`, `|`) to execute arbitrary commands on the host system. Ensure that any user-provided input for placeholders like `YOUR_PHANTOM_ADDRESS` is strictly validated (e.g., against a regex for Solana addresses) and properly escaped or quoted before being passed to shell commands. | LLM | SKILL.md:68 | |
| MEDIUM | Potential command injection via `YOUR_ADDRESS` placeholder in `open` command The skill provides a `bash` command `open "https://solscan.io/account/YOUR_ADDRESS"`. If the `YOUR_ADDRESS` placeholder is directly substituted with unsanitized user input by the LLM, an attacker could inject shell metacharacters (e.g., `"` to break out of the string, followed by other commands) to execute arbitrary commands or open malicious URLs. Ensure that any user-provided input for placeholders like `YOUR_ADDRESS` is strictly validated and properly escaped or quoted before being passed to shell commands. | LLM | SKILL.md:77 | |
| LOW | Instructions for exporting and importing private keys via CLI The skill provides instructions on how to export a private key from Phantom Wallet and then import it into the Solana CLI using `solana-keygen recover ASK`. While the skill includes a warning ("careful with this!"), instructing users to handle private keys directly via CLI, especially in an automated agent context, increases the risk of credential exposure if the environment is compromised or if the user misunderstands the implications. This is a high-risk operation described by the skill. Emphasize the extreme sensitivity of private keys. Advise users to only perform such operations in highly secure, isolated environments. Consider if this operation is strictly necessary for the skill's functionality or if alternative, more secure methods exist (e.g., hardware wallet integration without exposing the seed). | LLM | SKILL.md:86 |
Scan History
Embed Code
[](https://skillshield.io/report/cd1901cd0eaaf24f)
Powered by SkillShield