Trust Assessment
solpaw received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Potential Command Injection via Shell Command Construction.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Shell Command Construction The skill's manifest specifies `command-tool: "exec"` and `command-arg-mode: "raw"`, which allows the host LLM to execute arbitrary shell commands. The `SKILL.md` documentation provides `curl` examples for launching tokens where user-controlled data (e.g., token name, symbol, description) would be interpolated directly into a JSON payload within a shell command. If the LLM constructs these `curl` commands using unsanitized user input, a malicious user could inject arbitrary shell commands. For instance, injecting `", $(rm -rf /tmp); echo "` into a field like 'name' could lead to arbitrary code execution on the agent's host. 1. **Strongest**: Remove `command-tool: "exec"` from the manifest and rely solely on the TypeScript SDK (`solpaw-skill.ts`) for programmatic interaction, as it correctly JSON-stringifies parameters, preventing this type of injection. 2. If `exec` is strictly necessary, implement robust input sanitization and shell escaping for all user-controlled parameters before constructing shell commands. Avoid direct string interpolation of untrusted input into shell commands. | LLM | SKILL.md:87 | |
| HIGH | Sensitive Environment Variables Exposed to Shell Execution The skill explicitly requires highly sensitive environment variables, `SOLANA_PRIVATE_KEY` and `SOLPAW_API_KEY`. While the TypeScript SDK (`solpaw-skill.ts`) accesses these securely via `process.env`, the `command-tool: "exec"` capability means these environment variables are inherently accessible to any shell command executed by the skill. In the event of a successful command injection (as identified in SS-LLM-003), an attacker could easily exfiltrate these credentials, leading to the compromise of the associated Solana wallet and SolPaw account. 1. Minimize the use of `command-tool: "exec"` and prioritize programmatic invocation of the TypeScript SDK. 2. If `exec` is unavoidable, consider using a wrapper that explicitly passes only necessary, non-sensitive environment variables to the subprocess, or sanitizes the environment. 3. Implement strict sandboxing for `exec` commands if possible, limiting access to environment variables. 4. Educate users on the risks of exposing private keys as environment variables, even if necessary for the skill's functionality. | LLM | SKILL.md:40 | |
| MEDIUM | Unpinned npm dependency version Dependency '@solana/web3.js' is not pinned to an exact version ('^1.95.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lvcidpsyche/solpaw-skill/package.json | |
| MEDIUM | Filesystem Read Access for Token Image Upload The `SKILL.md` documentation includes an example for uploading a token image using `curl -F "file=@token-logo.png"`. This demonstrates that the skill expects to read local files from the filesystem. While necessary for its intended function, this capability, especially when combined with the `command-tool: "exec"` and potential command injection, could be abused to read arbitrary files from the agent's environment. An attacker could craft a payload to read sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) if a command injection vulnerability is successfully exploited. 1. If possible, restrict the filesystem access of the `exec` command to a specific, sandboxed directory. 2. Ensure that any file paths provided to the `curl` command are strictly validated and sanitized to prevent path traversal attacks. 3. Prefer using the TypeScript SDK's image upload mechanism if it allows for more controlled file handling (e.g., passing file content directly rather than a file path). | LLM | SKILL.md:76 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/lvcidpsyche/solpaw-skill/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/461194b03e429f0d)
Powered by SkillShield