Trust Assessment
sugarclawdy received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Generation and Local Storage of Ethereum Private Key/Mnemonic, Unpinned `npx` dependency for sensitive operation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Generation and Local Storage of Ethereum Private Key/Mnemonic The skill explicitly instructs the AI agent to generate an Ethereum wallet, which includes a private key and mnemonic, and then 'save locally'. Storing cryptographic private keys and mnemonics within the AI agent's context or 'local storage' is a severe security risk. This data can be easily exfiltrated through subsequent prompts, logging, or if the agent's memory is compromised, directly exposing the user's potential funds. Do not generate or handle private keys/mnemonics within the AI agent's context. If wallet generation is required, it should be done in a secure, client-side environment or through a dedicated, secure wallet service. If the skill must interact with a wallet, it should only handle public addresses or interact with a secure, external wallet provider via a well-defined API that does not expose private keys to the agent. Remove the instruction to 'save locally' for private keys and mnemonics. | LLM | SKILL.md:97 | |
| HIGH | Unpinned `npx` dependency for sensitive operation The skill uses `npx --yes eth-wallet-generate` to generate an Ethereum wallet. `npx` executes packages directly from the npm registry, and using `--yes` bypasses confirmation. Without pinning a specific version (e.g., `eth-wallet-generate@1.2.3`), the skill is vulnerable to supply chain attacks. A malicious actor could publish a new version of `eth-wallet-generate` that exfiltrates generated keys, performs other malicious actions, or introduces vulnerabilities. This also presents an indirect command injection risk if the package itself is compromised. Pin the version of `eth-wallet-generate` (e.g., `npx --yes eth-wallet-generate@1.0.0`). Consider using a more robust and auditable method for wallet generation, ideally not directly within the AI agent's execution environment, especially given the critical nature of the output (private keys). If `npx` is necessary, ensure the package is from a trusted source and regularly audited. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/328c468e32f35b81)
Powered by SkillShield