Trust Assessment
sparkbtcbot received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Mnemonic exposed via console output and direct return.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Mnemonic exposed via console output and direct return The skill's example code (`wallet-setup.js` and the demo in `spark-agent.js`) explicitly prints the generated Bitcoin wallet mnemonic to the console (stdout). If an AI agent executes this code, the mnemonic, which is equivalent to the private key for the wallet, will be exposed in the agent's logs or output. Additionally, the `SparkAgent.create` method in `spark-agent.js` directly returns the generated mnemonic, making it available in memory for potential logging or misuse by the agent's code. Avoid printing sensitive credentials like mnemonics to stdout. If a mnemonic must be displayed to the user for secure storage, use a secure display mechanism that prevents logging or easy capture by automated systems. For agent-specific use, ensure the mnemonic is passed and stored securely (e.g., encrypted secrets management, secure environment variables) without being logged or exposed in plain text. The `SparkAgent.create` method should ideally not return the mnemonic directly to the agent instance, but rather initialize the wallet internally, relying on secure storage mechanisms for the mnemonic. If the mnemonic is needed for backup, it should be handled through a dedicated, secure user interaction flow. | LLM | examples/wallet-setup.js:25 | |
| HIGH | Mnemonic exposed via console output and direct return The skill's example code (`wallet-setup.js` and the demo in `spark-agent.js`) explicitly prints the generated Bitcoin wallet mnemonic to the console (stdout). If an AI agent executes this code, the mnemonic, which is equivalent to the private key for the wallet, will be exposed in the agent's logs or output. Additionally, the `SparkAgent.create` method in `spark-agent.js` directly returns the generated mnemonic, making it available in memory for potential logging or misuse by the agent's code. Avoid printing sensitive credentials like mnemonics to stdout. If a mnemonic must be displayed to the user for secure storage, use a secure display mechanism that prevents logging or easy capture by automated systems. For agent-specific use, ensure the mnemonic is passed and stored securely (e.g., encrypted secrets management, secure environment variables) without being logged or exposed in plain text. The `SparkAgent.create` method should ideally not return the mnemonic directly to the agent instance, but rather initialize the wallet internally, relying on secure storage mechanisms for the mnemonic. If the mnemonic is needed for backup, it should be handled through a dedicated, secure user interaction flow. | LLM | examples/spark-agent.js:130 | |
| MEDIUM | Unpinned npm dependency version Dependency '@buildonspark/spark-sdk' is not pinned to an exact version ('^0.5.8'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/echennells/sparkbtcbot/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/3e1f2ceff323f45e)
Powered by SkillShield