Trust Assessment
purch-api received a trust score of 39/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 0 high, 5 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Direct Private Key Handling in CLI Scripts, Unpinned Dependencies in Installation Instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Private Key Handling in CLI Scripts The skill package includes multiple CLI scripts (`scripts/buy_and_sign.py`, `scripts/buy_and_sign.ts`, `scripts/buy_and_sign_base.ts`, `scripts/sign_transaction.py`, `scripts/sign_transaction.ts`, `scripts/sign_transaction_base.ts`) that are designed to accept and process cryptographic private keys directly as command-line arguments. These scripts then use the provided private keys to sign and send blockchain transactions (Solana or Base/EVM).
While the skill's documentation is in 'rubric mode' and does not explicitly instruct the LLM to execute these scripts with real private keys, the inclusion and detailed documentation of these tools within the skill package create a critical vulnerability. An LLM agent, if given access to this skill and subsequently prompted by a malicious user, could be coerced into executing these scripts with a user's real private key. Passing private keys via command-line arguments is inherently insecure as they can be exposed in process lists, shell history, or logs, leading to the complete compromise of associated cryptocurrency funds. Redesign the transaction signing process to avoid direct handling of private keys by the agent or CLI scripts. Instead, integrate with secure wallet providers (e.g., browser extensions, hardware wallets, or secure key management services) that handle private key signing internally. If direct signing is unavoidable for specific use cases, implement robust security measures such as environment variables, secure input prompts, or encrypted key storage, and clearly document the extreme risks involved. For agent skills, it is generally recommended to delegate sensitive cryptographic operations to external, user-controlled signing mechanisms. | LLM | SKILL.md:169 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/purch-agent/agentic-commerce/scripts/buy.py:21 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/purch-agent/agentic-commerce/scripts/buy_and_sign.py:21 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/purch-agent/agentic-commerce/scripts/search.py:17 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/purch-agent/agentic-commerce/scripts/shop.py:17 | |
| MEDIUM | Unpinned Dependencies in Installation Instructions The installation instructions for the CLI scripts specify dependencies without pinning them to specific versions (e.g., `pip install solana solders base58`, `bun add @solana/web3.js bs58`, `bun add viem`). This practice introduces a supply chain risk. Without explicit version pinning, future updates to these dependencies could inadvertently introduce vulnerabilities, breaking changes, or even malicious code. An AI agent or user following these instructions would automatically pull the latest available versions, which might not have undergone sufficient security review for the specific skill context. Pin all dependencies to specific, known-good versions in the installation instructions (e.g., `pip install solana==X.Y.Z solders==A.B.C`). Regularly review and update these pinned versions to incorporate security patches and new features, while ensuring compatibility and re-validating security. | LLM | SKILL.md:139 |
Scan History
Embed Code
[](https://skillshield.io/report/bedd6e3eee02dcab)
Powered by SkillShield