Trust Assessment
soroban-trader received a trust score of 25/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 2 critical, 2 high, 1 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Password Exposed in Tool Arguments The `password` argument, which is used to decrypt and access the private key, is passed directly to the `getWallet` and `swap` functions. This means the password will be present in the LLM's context when these tools are invoked. An attacker could craft a prompt injection to extract this password from the LLM's memory, logs, or subsequent outputs, leading to credential harvesting and potential compromise of the user's cryptocurrency wallet. Implement a secure password management mechanism that does not expose the password directly in tool arguments. This could involve: 1) Using a secure vault or environment variable that the skill can access directly without the LLM handling the password. 2) Requiring a one-time authentication or session token instead of the raw password for each operation. 3) If the password must be provided by the LLM, ensure it's ephemeral and not stored or logged by the LLM. | LLM | index.js:109 | |
| CRITICAL | Password Exposed in Tool Arguments The `password` argument, which is used to decrypt and access the private key, is passed directly to the `getWallet` and `swap` functions. This means the password will be present in the LLM's context when these tools are invoked. An attacker could craft a prompt injection to extract this password from the LLM's memory, logs, or subsequent outputs, leading to credential harvesting and potential compromise of the user's cryptocurrency wallet. Implement a secure password management mechanism that does not expose the password directly in tool arguments. This could involve: 1) Using a secure vault or environment variable that the skill can access directly without the LLM handling the password. 2) Requiring a one-time authentication or session token instead of the raw password for each operation. 3) If the password must be provided by the LLM, ensure it's ephemeral and not stored or logged by the LLM. | LLM | index.js:147 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/kaankacar/soroban/skill/index.js:30 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/kaankacar/soroban/skill/index.js:40 | |
| MEDIUM | Unpinned npm dependency version Dependency '@stellar/stellar-sdk' is not pinned to an exact version ('^14.5.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/kaankacar/soroban/skill/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/kaankacar/soroban/skill/package.json | |
| INFO | Unpinned Dependency Version The `package.json` specifies `@stellar/stellar-sdk` with a caret (`^`) prefix, allowing minor and patch updates (`^14.5.0`). While common, this means that new versions could be installed automatically without explicit review, potentially introducing breaking changes, vulnerabilities, or unexpected behavior if a malicious update were to occur in the upstream package. For critical applications, pinning to exact versions is often preferred. Consider pinning the dependency to an exact version (e.g., `"@stellar/stellar-sdk": "14.5.0"`) to ensure deterministic builds and prevent unexpected changes from upstream updates. Regularly review and manually update dependencies to incorporate security fixes. | LLM | package.json:20 |
Scan History
Embed Code
[](https://skillshield.io/report/47b93699d0b8d15c)
Powered by SkillShield