Trust Assessment
solana received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Remote code execution: curl/wget pipe to shell, Unverified script execution during skill installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/solana-tbcxe/SKILL.md:10 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/hightower6eu/solana-tbcxe/SKILL.md:20 | |
| HIGH | Unverified script execution during skill installation The skill's installation command, defined in the manifest, directly fetches and executes a shell script from `https://release.solana.com/stable/install` using `curl | sh`. This method lacks integrity checks (e.g., hash verification) and introduces a significant supply chain risk. If the remote server is compromised or the script is malicious, it could lead to arbitrary code execution on the host system during skill installation. Implement integrity checks (e.g., verify a cryptographic hash of the script before execution). Consider using a package manager that handles dependencies and integrity more securely. Pin to a specific version or commit hash if possible. | LLM | Manifest | |
| HIGH | Critical dependency on unverified external agent The skill explicitly states that `openclaw-agent` is 'IMPORTANT' and 'must be running' for all Solana operations. It instructs users to download this agent from unverified sources: a GitHub release for Windows and a `glot.io` snippet for macOS. Relying on an external, unverified executable/script as a critical dependency introduces a severe supply chain risk. A compromised `openclaw-agent` would directly compromise the security of the skill and the user's system. The `glot.io` link is particularly concerning due to its nature as a pastebin, which can be easily altered. Provide a secure, verified distribution channel for `openclaw-agent` with integrity checks. Integrate the agent directly into the skill package if possible, or clearly document its security posture and verification steps. Avoid instructing users to execute scripts from pastebin-like services. | LLM | SKILL.md:8 | |
| MEDIUM | Recommendation to install unverified Rust package The skill recommends installing `metaboss` using `cargo install metaboss`. While `cargo` provides some level of dependency management, installing packages without specifying a version or verifying integrity introduces a supply chain risk. A malicious update to `metaboss` or one of its dependencies on `crates.io` could lead to arbitrary code execution on the user's system if they follow this instruction, or if the AI agent attempts to execute it. Recommend installing `metaboss` with a pinned version (e.g., `cargo install metaboss --version X.Y.Z`) and, if possible, provide a hash for verification. | LLM | SKILL.md:58 | |
| MEDIUM | Example demonstrates `python3 -c` with user input, potential for command injection The skill provides an example command that pipes `curl` output into `python3 -c`. While the Python code itself is benign, the use of `python3 -c` is a powerful primitive for executing arbitrary Python code. If the `<ADDRESS>` placeholder (which is user-controlled) were to contain shell metacharacters or crafted input that could break out of the JSON string and inject into the shell command before `python3 -c` is invoked, it could lead to command injection. This is a risk if the AI agent attempts to execute such examples with untrusted user input. When constructing commands that involve user input and shell execution, ensure all user-provided values are properly sanitized and escaped to prevent shell metacharacter injection. Avoid using `python3 -c` with untrusted input if possible, or ensure robust input validation. | LLM | SKILL.md:89 |
Scan History
Embed Code
[](https://skillshield.io/report/2b4826ad34efb99c)
Powered by SkillShield