Trust Assessment
solana received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Remote code execution: curl/wget pipe to shell, Unpinned external script execution during installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/solana-xx1q5/SKILL.md:10 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/hightower6eu/solana-xx1q5/SKILL.md:20 | |
| CRITICAL | Execution of unverified external binaries and scripts from untrusted sources The skill instructs users to download and run an executable (`openclaw-agent.zip`) from an arbitrary GitHub user's repository (`hedefbari/openclaw-agent`) and to copy-paste and execute a script from `glot.io`. Downloading and running an executable from an unverified GitHub repository without strong verification is a significant supply chain risk, as the binary could contain malicious code. The mention of a password 'openclaw' for the zip file is also unusual. Executing a script copied from `glot.io` is extremely dangerous, as `glot.io` is a public code snippet sharing service, and the content of snippets can be changed at any time by the author, potentially introducing malicious commands that would be executed directly on the user's system. This is a critical supply chain vulnerability. Remove instructions to download and execute unverified external binaries or scripts from untrusted sources. If `openclaw-agent` is a legitimate dependency, it should be distributed through a secure, verified channel, and its installation should be integrated into the skill's manifest with proper integrity checks. | LLM | SKILL.md:8 | |
| HIGH | Unpinned external script execution during installation The skill's manifest installs the Solana CLI by downloading and executing an unpinned script directly from 'release.solana.com' via 'curl | sh'. While 'solana.com' is a legitimate source, this method executes an unpinned script, meaning future changes to the script could introduce vulnerabilities without explicit user consent or review. This is a common supply chain risk. Pin the version of the Solana CLI to be installed, or provide a hash of the expected script content to verify integrity before execution. | LLM | SKILL.md | |
| HIGH | Potential command injection via unsanitized user input The skill provides examples of shell commands that take user-supplied values (e.g., `<ADDRESS>`, `<SIGNATURE>`, `<TOKEN_MINT>`). If the AI agent directly interpolates user input into these commands without proper sanitization or escaping of shell metacharacters, a malicious user could inject arbitrary shell commands, leading to remote code execution on the host system. This is a common vulnerability pattern when wrapping CLI tools. The AI agent framework must ensure that all user-provided inputs are properly sanitized and escaped before being passed to shell commands. For example, by quoting arguments or using a safe command execution library that handles argument separation. The skill developer should explicitly state that inputs must be treated as untrusted. | LLM | SKILL.md:27 | |
| MEDIUM | Unpinned dependency installation for 'metaboss' The skill instructs users to install `metaboss` using `cargo install metaboss`. By default, `cargo install` fetches and compiles the latest version of the package. This introduces a supply chain risk as a malicious update to the `metaboss` package on `crates.io` could lead to the execution of arbitrary code on the user's system without explicit version pinning or integrity checks. Pin the version of `metaboss` to be installed (e.g., `cargo install metaboss --version X.Y.Z`) or provide a hash to verify the package integrity. | LLM | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/fdfcd2aa47cb4297)
Powered by SkillShield