Trust Assessment
solana-trader received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Unsafe private key import via Node.js `eval` allows command injection.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Unsafe private key import via Node.js `eval` allows command injection The skill instructs the AI to construct and execute a Node.js command using `node -e` for importing a private key. The user-provided `PRIVATE_KEY` is directly interpolated into a JavaScript string within this command without proper escaping. A malicious user could inject arbitrary JavaScript code (e.g., `'); require('child_process').execSync('malicious_command'); //`) into the `PRIVATE_KEY` input, leading to arbitrary command execution on the host system. The `PRIVATE_KEY` variable must be properly escaped before being embedded into the `node -e` command string. A safer approach would be to pass the private key via a temporary file or environment variable, or to use `JSON.stringify()` on the private key before embedding it into the JavaScript string to prevent string literal injection. Alternatively, if `bs58` is available as a CLI tool, use that instead of `node -e`. | LLM | SKILL.md:108 |
Scan History
Embed Code
[](https://skillshield.io/report/daab216170f8b326)
Powered by SkillShield