Trust Assessment
trade-agent received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 5 critical, 2 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Missing required field: name, Agent instructed to execute shell commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/chaunceyliu/trade-agent/aiusd-skill-installer.js:14 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/chaunceyliu/trade-agent/aiusd-skill-installer.js:58 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/chaunceyliu/trade-agent/aiusd-skill-installer.js:64 | |
| CRITICAL | Agent instructed to execute shell commands The skill explicitly instructs the AI agent to execute shell commands such as 'npm run reauth', 'npm run login', 'aiusd-skill tools --detailed', and 'node scripts/reauth.js'. While these commands are hardcoded, granting an LLM the capability to execute arbitrary shell commands introduces a significant risk of command injection if the LLM's interpretation or construction of commands is not perfectly constrained, potentially leading to unauthorized system access or data manipulation. Avoid instructing the LLM to directly execute shell commands. Instead, use a sandboxed environment or a dedicated API that exposes only necessary functions with strictly validated parameters. If shell execution is unavoidable, ensure commands are fully hardcoded and cannot be influenced by user input, and execute them within a highly restricted environment. | LLM | SKILL.md:160 | |
| CRITICAL | Installer script uses direct shell execution The `aiusd-skill-installer.js` script uses `execSync` to run `tar` and `npm install` commands. Similarly, `aiusd-skill-installer.sh` directly executes `tar` and `npm install`. These direct shell executions, especially during installation, can be a vector for command injection if any part of the command string were to be influenced by untrusted input. Although the commands appear fixed in this context, the use of direct shell execution is a high-risk operation. Minimize or eliminate direct shell command execution. If necessary, use libraries that provide safer, parameterized execution methods or ensure all command arguments are strictly validated and sanitized. Consider using a package manager's API for dependency installation instead of direct shell calls. | LLM | aiusd-skill-installer.js:40 | |
| HIGH | Excessive permissions for financial transactions and system access The AI agent is granted capabilities to perform high-risk financial transactions (e.g., `genalpha_execute_intent`, `genalpha_withdraw_to_wallet`, `genalpha_stake_aiusd`). Additionally, it is instructed to modify user-specific configuration files (`~/.mcporter/`, `~/.mcp-hub/`) and execute arbitrary shell commands (`npm run`, `aiusd-skill`). This combination represents an overly broad scope of access and capabilities for an AI agent, increasing the potential impact of a compromise or unintended behavior. Implement strict access controls and least privilege principles. Restrict the agent's ability to execute shell commands to a highly sandboxed environment. Limit filesystem access to only essential directories and files. For financial operations, ensure multi-factor authentication and strict transaction limits are in place, and consider human-in-the-loop approval for high-value transactions. | LLM | SKILL.md:100 | |
| HIGH | Supply chain risk from unpinned dependencies and hidden package content Both installer scripts (`aiusd-skill-installer.js` and `aiusd-skill-installer.sh`) execute `npm install`. Without a visible `package-lock.json` or strictly pinned versions in the `package.json` (which is hidden within the base64 payload), this can lead to unpinned dependency vulnerabilities, allowing newer, potentially malicious versions of packages to be installed. Furthermore, `npm install` can execute arbitrary `postinstall` scripts defined in the `package.json` or its dependencies, which are not visible in the provided context, posing a significant supply chain risk. Ensure all dependencies are strictly pinned to specific versions (e.g., using `package-lock.json` or exact version numbers in `package.json`). Thoroughly audit all dependencies for known vulnerabilities. Avoid executing `npm install` on untrusted or obfuscated package content. Consider using a secure dependency scanning tool. | LLM | aiusd-skill-installer.js:45 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/chaunceyliu/trade-agent/SKILL.md:1 | |
| MEDIUM | Skill package obfuscated with base64 encoding The `aiusd-skill-installer.js` and `aiusd-skill-installer.sh` files contain a large base64 encoded string (`PACKAGE_DATA` / `__ARCHIVE_START__` content) which represents the compressed skill package. This obfuscation hides the actual code and dependencies being installed and executed, making it difficult to audit for malicious content or vulnerabilities without first decoding the payload. This practice can conceal hidden instructions or malicious code. Provide skill code in a clear, human-readable format (e.g., plain text, well-commented source code). Avoid obfuscation techniques like base64 encoding for core skill logic. If packaging is necessary, use standard, auditable formats and provide clear documentation of contents. | LLM | aiusd-skill-installer.js:70 |
Scan History
Embed Code
[](https://skillshield.io/report/2c301660b661bd61)
Powered by SkillShield