Trust Assessment
sui-agent-wallet received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 1 high, 4 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Credential harvesting, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 16/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/easonc13/sui-agent-wallet/server/wallet.ts:27 | |
| CRITICAL | Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/easonc13/sui-agent-wallet/server/keychain.ts:39 | |
| CRITICAL | Unauthenticated Seed Phrase Exposure via Local HTTP Endpoint The local server exposes the wallet's seed phrase via an unauthenticated HTTP GET request to `/mnemonic`. Any process running on the user's local machine can make a request to `http://localhost:3847/mnemonic` and retrieve the full seed phrase, leading to complete compromise of the wallet. The SKILL.md explicitly documents this endpoint for backup purposes, highlighting its accessibility. Remove the `/mnemonic` endpoint entirely or implement strong authentication and authorization mechanisms to protect access to the seed phrase. Seed phrases should never be exposed via unauthenticated APIs, even on localhost. | LLM | server/index.ts:80 | |
| CRITICAL | Seed Phrase Printed to Console on Keychain Failure If the attempt to store the newly generated seed phrase in macOS Keychain fails, the `server/wallet.ts` code prints the seed phrase directly to the console (stdout). This is a critical data exfiltration risk, as the seed phrase can be captured by terminal logs, process monitors, or other local tools, compromising the wallet. Never print sensitive credentials like seed phrases to stdout/stderr. Implement robust error handling for Keychain storage that does not expose the mnemonic. If Keychain storage fails, the user should be prompted to manually save the mnemonic securely, without it being printed to the console. | LLM | server/wallet.ts:108 | |
| HIGH | Unauthenticated Seed Phrase Import via Local HTTP Endpoint The local server allows importing a new seed phrase via an unauthenticated HTTP POST request to `/import`. This means any local process can overwrite the existing wallet's seed phrase with a new one, potentially leading to a denial-of-service (wiping the user's wallet) or a wallet replacement attack if an attacker controls a local process. Implement strong authentication and authorization for the `/import` endpoint. Consider if this functionality is truly necessary via an unauthenticated local API, or if it should be handled through a more secure, interactive user interface. | LLM | server/index.ts:300 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/easonc13/sui-agent-wallet/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@mysten/sui' is not pinned to an exact version ('^1.21.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/easonc13/sui-agent-wallet/server/package.json | |
| MEDIUM | Unpinned npm dependency version Dependency '@mysten/dapp-kit' is not pinned to an exact version ('^0.14.45'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/easonc13/sui-agent-wallet/test-dapp/frontend/package.json | |
| MEDIUM | Potential Command Injection in Keychain Interaction The `server/keychain.ts` module uses `child_process.execSync` to interact with the `security` command, directly interpolating the `mnemonic` string into the shell command. While BIP39 mnemonics are typically constrained to English words and spaces, this pattern is inherently vulnerable to command injection if the `mnemonic` variable were ever to contain shell metacharacters (e.g., `;`, `&`, `|`, `` ` ``) from an unexpected source. This could allow arbitrary command execution on the host system. Avoid direct string interpolation into shell commands when dealing with potentially user-controlled or dynamic input. Use a library that provides direct Keychain access (if available for Bun/Node.js) or ensure robust shell escaping of the `mnemonic` string before passing it to `execSync`. | LLM | server/keychain.ts:20 | |
| LOW | DApp Origin and URL Sent to Local Server The browser extension's background script forwards the `origin` and `url` of the DApp page to the local server for every wallet request. While this is a local server and likely necessary for providing context to the agent for transaction review, it means the local skill component collects browsing context information. This could be considered excessive data collection if not strictly necessary or if the local server's logging/storage practices are not transparent. Clearly document what data (like DApp origin/URL) is collected by the local server, why it's necessary for the skill's functionality, and how it is handled (e.g., not logged, not stored persistently). Ensure that only the minimum necessary information is transmitted. | LLM | extension/background.js:100 |
Scan History
Embed Code
[](https://skillshield.io/report/6560328f9f8d7433)
Powered by SkillShield