Trust Assessment
polymarket-correlation received a trust score of 74/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 10 findings: 0 critical, 0 high, 4 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, API Key read from environment and used in external request, Raw exception details exposed in error messages/logs.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/sbaker5/polyedge/src/dashboard.py:8 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/sbaker5/polyedge/src/polymarket.py:8 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/sbaker5/polyedge/src/x402.py:9 | |
| MEDIUM | API Key read from environment and used in external request The skill reads 'BASESCAN_API_KEY' from environment variables and uses it in requests to the BaseScan API. While BaseScan is a public blockchain explorer, API keys are generally considered credentials. Their use in external requests, especially if not properly secured or if the key has broader permissions, poses a data exfiltration risk for the key itself and potentially for data accessible via that key. If this key were compromised or exposed, it could lead to unauthorized access or rate limit abuse. Ensure that the BASESCAN_API_KEY has the minimum necessary permissions. Consider if the key is truly required, or if the public, rate-limited endpoint is sufficient. If required, ensure the key is handled securely, not logged, and rotated regularly. Implement robust error handling to prevent the key from being exposed in error messages. | LLM | src/dashboard.py:21 | |
| INFO | Raw exception details exposed in error messages/logs The skill exposes raw exception details (e.g., `str(e)`) in API responses or console logs. This can inadvertently leak internal system information, such as file paths, variable values, or stack traces, which could aid an attacker in understanding the system's architecture and identifying further vulnerabilities. Catch exceptions and log full details internally for debugging purposes. For external responses or user-facing logs, provide generic, non-descriptive error messages to prevent information leakage. Review all `print(f"... {e}")` and `str(e)` usages. | LLM | src/api.py:176 | |
| INFO | Raw exception details exposed in error messages/logs The skill exposes raw exception details (e.g., `str(e)`) in API responses or console logs. This can inadvertently leak internal system information, such as file paths, variable values, or stack traces, which could aid an attacker in understanding the system's architecture and identifying further vulnerabilities. Catch exceptions and log full details internally for debugging purposes. For external responses or user-facing logs, provide generic, non-descriptive error messages to prevent information leakage. Review all `print(f"... {e}")` and `str(e)` usages. | LLM | src/dashboard.py:50 | |
| INFO | Raw exception details exposed in error messages/logs The skill exposes raw exception details (e.g., `str(e)`) in API responses or console logs. This can inadvertently leak internal system information, such as file paths, variable values, or stack traces, which could aid an attacker in understanding the system's architecture and identifying further vulnerabilities. Catch exceptions and log full details internally for debugging purposes. For external responses or user-facing logs, provide generic, non-descriptive error messages to prevent information leakage. Review all `print(f"... {e}")` and `str(e)` usages. | LLM | src/dashboard.py:80 | |
| INFO | Raw exception details exposed in error messages/logs The skill exposes raw exception details (e.g., `str(e)`) in API responses or console logs. This can inadvertently leak internal system information, such as file paths, variable values, or stack traces, which could aid an attacker in understanding the system's architecture and identifying further vulnerabilities. Catch exceptions and log full details internally for debugging purposes. For external responses or user-facing logs, provide generic, non-descriptive error messages to prevent information leakage. Review all `print(f"... {e}")` and `str(e)` usages. | LLM | src/polymarket.py:30 | |
| INFO | Raw exception details exposed in error messages/logs The skill exposes raw exception details (e.g., `str(e)`) in API responses or console logs. This can inadvertently leak internal system information, such as file paths, variable values, or stack traces, which could aid an attacker in understanding the system's architecture and identifying further vulnerabilities. Catch exceptions and log full details internally for debugging purposes. For external responses or user-facing logs, provide generic, non-descriptive error messages to prevent information leakage. Review all `print(f"... {e}")` and `str(e)` usages. | LLM | src/x402.py:110 | |
| INFO | Unpinned dependencies in skill package The skill package does not include a `requirements.txt` or similar file to pin its dependencies to specific versions. This can lead to supply chain risks, as future installations might pull in newer, potentially incompatible, or vulnerable versions of libraries, leading to unexpected behavior or security flaws. Add a `requirements.txt` file (or `pyproject.toml` with `poetry.lock`/`pipenv.lock`) that explicitly lists and pins all direct and transitive dependencies to specific versions. Regularly update and review these dependencies for known vulnerabilities. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/ddfbab6b46bba935)
Powered by SkillShield