Trust Assessment
solana-defi-agent received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Shell command injection via untrusted URL in curlFetch, Private key loaded directly from environment variable or file.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Shell command injection via untrusted URL in curlFetch The `ActionsClient` uses `child_process.execSync` to execute `curl` commands, constructing the command string with a user-provided `blinkUrl`. While the URL is double-quoted, sophisticated payloads containing escaped double quotes, backticks, or other shell metacharacters could potentially break out and execute arbitrary commands on the host system. The `ActionsClient.getAction` and `ActionsClient.postAction` methods do not perform a trust check before invoking `curlFetch`, allowing untrusted URLs to be processed by `execSync`. 1. **Remove `curlFetch`**: Replace `child_process.execSync` with Node.js's native `fetch` API, which is inherently safer as it doesn't involve shell execution. If Cloudflare blocking is an issue, consider using a dedicated HTTP client library that handles TLS fingerprinting or proxying, rather than shelling out to `curl`. 2. **Strict URL Validation**: If `curlFetch` must be used, implement extremely strict validation and sanitization of the `url`, `headers`, and `body` parameters to ensure no shell metacharacters can be injected. This is very difficult to do perfectly. 3. **Pre-execution Trust Check**: Ensure that `ActionsClient.getAction` and `ActionsClient.postAction` explicitly call `isTrustedHost` (preferably using the dynamic registry from `src/lib/registry.ts`) and *refuse to proceed* if the host is not trusted, rather than just warning. | LLM | src/lib/actions.ts:116 | |
| HIGH | Private key loaded directly from environment variable or file The `Wallet.fromEnv()` method attempts to load a Solana private key directly from the `SOLANA_PRIVATE_KEY` environment variable or from a file specified by `SOLANA_WALLET_PATH`. While the skill's `SKILL.md` advises against committing keypairs to git, loading private keys directly into environment variables or from arbitrary file paths (especially if `SOLANA_WALLET_PATH` could be influenced by untrusted input) poses a significant risk. If the agent or skill environment is compromised, or if a malicious `blinkUrl` (via the command injection vulnerability) could read environment variables or arbitrary files, the private key could be exfiltrated. 1. **Hardware Security Module (HSM) / Key Management Service (KMS)**: For production environments, use a secure HSM or KMS to manage and sign transactions, rather than loading raw private keys. 2. **Secure Input**: If raw keys must be used, prefer secure input methods (e.g., interactive prompts, encrypted vaults) over environment variables or plain text files. 3. **Restrict File Access**: If loading from a file, ensure the `SOLANA_WALLET_PATH` is strictly controlled and points to a secure, permission-restricted location. Avoid resolving `~` if possible, or ensure it's resolved to a known secure user home directory. 4. **Isolate Signing**: Implement a separate, isolated service or process for signing transactions that only receives transaction data and returns signatures, without exposing the private key to the main application logic. | LLM | src/lib/wallet.ts:44 | |
| MEDIUM | Unpinned npm dependency version Dependency '@solana/web3.js' is not pinned to an exact version ('^1.95.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/claude-bot-ai-123123/solana-defi-agent/package.json | |
| MEDIUM | Inconsistent host trust validation mechanism The skill uses two sources for trusted hosts: a hardcoded `TRUSTED_HOSTS` array in `src/lib/actions.ts` and a dynamic registry fetched from `https://actions-registry.dial.to/all` in `src/lib/registry.ts`. The `ActionsClient` (which is central to processing `blinkUrl`s) uses its *own* hardcoded `TRUSTED_HOSTS` list for its `isTrustedHost` method. This means that if the dynamic registry is updated with new trusted hosts or malicious hosts, the `ActionsClient` might not reflect these changes until the hardcoded list is manually updated and the skill redeployed. This inconsistency can lead to an outdated or incomplete trust assessment, potentially allowing interaction with untrusted or malicious endpoints. 1. **Unify Trust Source**: Ensure all host trust validation logic consistently uses the dynamic registry fetched by `src/lib/registry.ts`. The `ActionsClient` should be refactored to depend on `getTrustedHosts` from `src/lib/registry.ts` rather than its own hardcoded list. 2. **Cache Management**: Implement proper caching and refresh mechanisms for the dynamic registry to ensure performance while keeping the trust list up-to-date. | LLM | src/lib/actions.ts:200 |
Scan History
Embed Code
[](https://skillshield.io/report/4dbd0b6f757f8ec3)
Powered by SkillShield