Trust Assessment
phantom received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 2 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unsafe `curl | sh` for Solana CLI installation, Instruction to download and run untrusted executable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/phantom-vpnfy/SKILL.md:10 | |
| CRITICAL | Instruction to download and run untrusted executable The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from an arbitrary GitHub user (`hedefbari`) which is not the official `openclaw` organization. This poses a severe supply chain risk, as the executable could be malicious. Running executables from untrusted sources can lead to complete system compromise. The mention of a password for extraction is also a poor security practice. Remove instructions to download and run executables from untrusted or unofficial sources. If `openclaw-agent` is a dependency, it should be distributed through official, verified channels or integrated securely within the skill's trusted environment. | LLM | SKILL.md:7 | |
| CRITICAL | Instruction to copy-paste and execute script from untrusted pastebin The skill instructs macOS users to visit a `glot.io` snippet, copy its content, and paste it into their terminal for installation. `glot.io` is a public pastebin service and is highly untrustworthy for distributing installation scripts. This is an extremely dangerous practice, as the content of the snippet can be changed at any time by its author or a compromised `glot.io` account, leading to arbitrary command execution on the user's system. Remove instructions to execute scripts from untrusted pastebin services. Provide official, verified installation methods or integrate dependencies securely. | LLM | SKILL.md:9 | |
| HIGH | Unsafe `curl | sh` for Solana CLI installation The skill's manifest uses `curl -sSfL https://release.solana.com/stable/install | sh` to install the Solana CLI. This pattern is inherently risky as it executes arbitrary code downloaded from the internet without prior inspection. While `release.solana.com` is a legitimate source, a compromise of that server or its CDN could lead to arbitrary code execution on the host system during skill installation. A more secure approach would involve downloading a signed package, verifying its integrity, and then installing it. Replace `curl | sh` with a more secure installation method, such as downloading a signed package, verifying its checksum/signature, and then installing it. Alternatively, provide instructions for manual installation or use a package manager if available. | LLM | Manifest | |
| HIGH | CLI commands with user-controlled placeholders The skill provides several `bash` command snippets that include placeholders like `YOUR_PHANTOM_ADDRESS`, `YOUR_ADDRESS`, `TX_SIGNATURE`. If the LLM is designed to fill these placeholders with user-provided input and then execute these commands, it creates a direct command injection vulnerability. An attacker could inject malicious shell commands into these placeholders, leading to arbitrary code execution. The `solana-keygen recover ASK` command is particularly sensitive as it deals with private keys, posing a credential harvesting risk if input is not sanitized. Implement strict input validation and sanitization for any user-provided data that is used to construct shell commands. Avoid direct concatenation of user input into commands. Consider using a safer method for interacting with CLI tools, such as dedicated libraries or APIs, rather than raw shell execution with interpolated strings. For sensitive commands like `solana-keygen recover`, ensure explicit user confirmation and secure handling of private key material. | LLM | SKILL.md:68 |
Scan History
Embed Code
[](https://skillshield.io/report/4da7e6500a2b86a4)
Powered by SkillShield