Trust Assessment
solpaw received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Untrusted content attempts to manipulate host LLM instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to manipulate host LLM instructions The `SKILL.md` file, which is treated as untrusted input, contains explicit instructions intended to control the behavior of the host LLM (e.g., "This skill MUST only be invoked by the user.", "DO NOT launch tokens without explicit user approval"). These directives attempt to override or influence the LLM's operational guidelines from an untrusted source, which is a form of prompt injection. Remove all direct instructions or behavioral constraints intended for the host LLM from untrusted skill documentation. LLM instructions should only originate from trusted system prompts. | LLM | SKILL.md:10 | |
| HIGH | Skill uses `exec` with `curl` and raw arguments, risking command injection The skill's manifest specifies `command-tool: "exec"` and `command-arg-mode: "raw"`, indicating that it executes external commands and passes arguments without shell escaping. The `SKILL.md` provides `curl` examples that construct JSON payloads using direct string interpolation of variables (e.g., `$SOLPAW_CREATOR_WALLET`, `$IMAGE_ID`, `$CSRF`, and potentially user-provided token details like `name`, `symbol`, `description`). If the actual `exec` implementation constructs `curl` commands in a similar manner, an attacker could inject shell metacharacters into user-controlled inputs, leading to arbitrary command execution on the host system. 1. Avoid using `command-tool: "exec"` with `command-arg-mode: "raw"` for commands that process user input. 2. If `exec` is necessary, ensure all user-controlled inputs are rigorously sanitized and shell-escaped before being incorporated into shell commands. 3. Prefer using a dedicated SDK (like the provided `solpaw-skill.ts`) that handles API interactions programmatically, rather than constructing shell commands with `curl`. If the skill is implemented in TypeScript, ensure the `exec` command invokes the SDK directly and passes arguments safely. 4. When constructing JSON payloads for `curl -d`, use a JSON library to properly serialize data, rather than string concatenation, to prevent injection of shell metacharacters or malformed JSON. | LLM | SKILL.md:49 | |
| MEDIUM | Unpinned npm dependency version Dependency '@solana/web3.js' is not pinned to an exact version ('^1.95.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lvcidpsyche/solpaw-launcher/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/lvcidpsyche/solpaw-launcher/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/3e311c62e9045831)
Powered by SkillShield