Trust Assessment
skillzmarket received a trust score of 69/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 2 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, User-controlled URL and input in 'direct' command enables data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | User-controlled URL and input in 'direct' command enables data exfiltration The 'direct' command in 'skillz-cli.ts' allows users to specify an arbitrary 'url' and 'json_input'. The skill will then make a POST request to the specified 'url' with the 'json_input' as the request body, using the 'SKILLZ_PRIVATE_KEY' to sign the payment. This functionality can be abused by an attacker to exfiltrate sensitive user data (if provided in 'json_input') to an attacker-controlled server. While this is an intended feature for interacting with arbitrary x402 endpoints, it presents a significant data exfiltration risk if misused. Implement strict validation or whitelisting for 'url' parameters if possible, or clearly document the security implications to users. For AI agents, ensure the agent is aware of the risks of using this command with untrusted URLs and inputs. Consider if the 'direct' command is truly necessary or if a more constrained approach is possible. | LLM | skillz-cli.ts:99 | |
| MEDIUM | Unpinned npm dependency version Dependency '@x402/fetch' is not pinned to an exact version ('^2.2.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/hiich/skillzmarket/package.json | |
| MEDIUM | Skill grants broad network access and private key usage via 'direct' command The 'direct' command allows the skill to make network requests to any user-specified URL and use the 'SKILLZ_PRIVATE_KEY' to sign payments for these requests. While this is an intended feature for interacting with arbitrary x402 endpoints, it grants very broad network access and sensitive credential usage. An attacker who can control the arguments to this command could leverage the skill's private key to interact with arbitrary blockchain contracts or services, potentially leading to financial loss or other unauthorized actions. Emphasize the critical security implications of the 'direct' command in documentation. Advise users to only use it with trusted URLs and inputs. For AI agents, implement strict guardrails to prevent the agent from calling 'direct' with untrusted or unverified URLs. Consider if the 'direct' command should be restricted or require additional user confirmation for sensitive operations. | LLM | skillz-cli.ts:99 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/hiich/skillzmarket/package.json | |
| LOW | Skill requires and handles a sensitive private key The skill explicitly requires 'SKILLZ_PRIVATE_KEY' for its core functionality (x402 payments). This private key is loaded into memory and used for cryptographic signing. While this is necessary for the skill's operation, the presence and handling of such a sensitive credential always introduces a risk. If the environment where the skill runs is compromised, or if the private key is not securely stored by the user, it could lead to unauthorized transactions. The skill itself does not appear to exfiltrate the key, but its presence is a risk factor. Strongly advise users on secure storage practices for 'SKILLZ_PRIVATE_KEY' (e.g., environment variables, secure vaults, not hardcoding). Implement best practices for in-memory handling of sensitive data if possible (though 'viem' and 'x402' libraries are generally secure). Consider using hardware wallets or more secure signing mechanisms if the ecosystem allows. | LLM | skillz-cli.ts:7 |
Scan History
Embed Code
[](https://skillshield.io/report/4cf3fe7c362590f8)
Powered by SkillShield