Trust Assessment
solclaw received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Credential Harvesting via Private Key Import, Data Exfiltration / Credential Leak via Key Export, Supply Chain Risk: Unpinned `npx` Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Credential Harvesting via Private Key Import The `solclaw init --private-key` command allows importing a base58 encoded private key directly as a command-line argument. An attacker could craft a prompt to induce the LLM to supply a private key it possesses (e.g., from its context or memory) to this command, leading to credential harvesting. This is a direct mechanism for an LLM to expose sensitive cryptographic material. The LLM should be strictly forbidden from providing private keys to any command. If private key import is necessary, it should be handled through secure, interactive prompts or encrypted files, never as a direct command-line argument from potentially untrusted input. Implement robust input validation and user confirmation for such sensitive operations. | LLM | skill.md:34 | |
| HIGH | Data Exfiltration / Credential Leak via Key Export The `solclaw export` command can output the agent's private key in base58 or JSON format. If an attacker can trick the agent (via prompt injection) into executing this command and subsequently exfiltrating the output (e.g., by sending it in a response or logging it), it would lead to a direct compromise of the agent's cryptographic keys and sensitive data. Implement strict output filtering and user confirmation for commands that expose sensitive credentials. Ensure the LLM is trained to never output or transmit private keys or other sensitive data, especially after executing export commands. Sandboxing the execution environment to prevent network egress of sensitive data is also recommended. | LLM | skill.md:37 | |
| HIGH | Supply Chain Risk: Unpinned `npx` Dependency The skill uses `npx solclaw-cli` without specifying a version. This means `npx` will always fetch and execute the latest available version of the `solclaw-cli` package from npm. This practice introduces a significant supply chain vulnerability, as a malicious update to the `solclaw-cli` package could be automatically executed, potentially compromising the agent's environment or data. Pin the version of `solclaw-cli` when using `npx` (e.g., `npx solclaw-cli@1.2.3`). Alternatively, install the package globally or locally with a pinned version (`npm install -g solclaw-cli@1.2.3`) and then use `solclaw-cli` directly to ensure deterministic execution and mitigate risks from unexpected or malicious updates. | LLM | skill.md:20 | |
| MEDIUM | Potential Command Injection via JSON Arguments The `solclaw batch` and `solclaw split` commands accept JSON strings as arguments (`--payments <json>`, `--recipients <json>`). If the underlying `solclaw` CLI tool does not robustly parse and sanitize these JSON inputs, a specially crafted JSON string could potentially lead to command injection by embedding shell metacharacters or malicious code that gets executed during parsing or processing. This is a common vector for injection if not handled carefully. Ensure all JSON inputs to CLI commands are strictly validated against a schema and parsed using safe, non-evaluating methods (e.g., `JSON.parse()` without `eval`). Implement robust escaping for any data that might be passed to a shell or interpreted by external processes to prevent injection of arbitrary commands. | LLM | skill.md:59 |
Scan History
Embed Code
[](https://skillshield.io/report/f1ca24ceb01886af)
Powered by SkillShield