Trust Assessment
trustra-escrow received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 0 critical, 1 high, 12 medium, and 1 low severity. Key findings include Suspicious import: requests, Unpinned Python dependency version, Private Key Printed to Standard Output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 23/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Private Key Printed to Standard Output The `export_key.py` script retrieves a user's wallet private key from the Trustra API and prints it directly to standard output. While the script includes a warning, exposing a private key in this manner is a significant security risk. The key can be captured by terminal logs, shell history, or other processes monitoring stdout, potentially leading to unauthorized access to the user's wallet if the execution environment is compromised. Avoid printing sensitive credentials like private keys directly to standard output. Instead, consider more secure methods for handling and displaying such information, such as writing to a temporary, permission-restricted file, using a secure input/output mechanism, or integrating with a secure vault service. If direct display is necessary, ensure strong warnings are present and advise users to clear their terminal history immediately. | LLM | scripts/export_key.py:34 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/balance.py:9 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_cancel.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_confirm.py:13 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_create.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_deliver.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_dispute.py:14 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_list.py:15 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_pay.py:13 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/escrow_withdraw.py:13 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/export_key.py:10 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/xasus1/trustra-escrow/scripts/register.py:11 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.28.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/xasus1/trustra-escrow/scripts/requirements.txt:1 | |
| LOW | Unpinned Dependency Version The `requests` library is specified with a minimum version (`requests>=2.28.0`) but not a precise version. While this allows for security updates, it also introduces a minor supply chain risk where a future, potentially vulnerable or malicious, version of `requests` could be installed without explicit review. For security-sensitive applications, pinning dependencies to exact versions is a best practice. Pin the `requests` dependency to an exact version (e.g., `requests==2.28.0`) to ensure deterministic builds and prevent unexpected changes or vulnerabilities from being introduced by newer versions. Regularly review and update pinned dependencies. | LLM | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/85632a705c97042b)
Powered by SkillShield