Trust Assessment
typhoon-starknet-account received a trust score of 48/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 2 high, 2 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Crontab Modification The `scripts/watch-events-smart.js` script uses `execSync` to modify the system's crontab. The `cronEntry` string, which is passed to `crontab -`, is constructed using `jobName` (derived from `config.schedule.name` in the input JSON). If an attacker can control `config.schedule.name` through a crafted prompt, they can inject arbitrary shell commands into the crontab, leading to persistent command execution with the privileges of the skill. Sanitize all user-controlled input before incorporating it into shell commands. For crontab entries, ensure that `jobName` and any other dynamic parts are strictly validated or escaped. A safer approach would be to write the crontab entry to a temporary file and then use `crontab <temp_file>` to apply it, ensuring no shell metacharacters can be injected into the `echo` command. | LLM | scripts/watch-events-smart.js:130 | |
| HIGH | Private Key Exposure via Command-Line Arguments The `scripts/resolve-smart.js` script loads the user's private key and then passes it directly as a command-line argument to child processes such as `scripts/avnu-swap.js` and `scripts/invoke-contract.js`. Passing sensitive information like private keys via command-line arguments is highly insecure as it exposes the key in process lists (`ps aux`), system logs, and potentially to other users on a multi-user system, making it vulnerable to credential harvesting. Avoid passing private keys or other sensitive credentials as command-line arguments. Instead, use more secure methods such as environment variables (with proper cleanup), secure inter-process communication (IPC), or temporary files with restricted permissions (e.g., `0o600`) that are immediately deleted after use. For Node.js, passing the key via stdin to the child process or using a dedicated IPC channel would be more secure. | LLM | scripts/resolve-smart.js:40 | |
| HIGH | Server-Side Request Forgery (SSRF) via Webhook URL The `scripts/watch-events-smart.js` script includes a `sendWebhook` function that makes an HTTP POST request to an arbitrary `webhookUrl` provided in the input configuration (`config.webhookUrl`). If this `webhookUrl` can be controlled by untrusted input (e.g., from a user prompt), an attacker could specify internal network addresses or sensitive endpoints, leading to Server-Side Request Forgery (SSRF). This could allow the attacker to scan internal networks, access internal services, or exfiltrate data from the skill's host environment. Implement strict validation and sanitization for the `webhookUrl`. Only allow URLs that match a whitelist of trusted domains or IP ranges. If dynamic URLs are necessary, ensure they are parsed and validated to prevent access to internal resources (e.g., block private IP ranges, loopback addresses, and non-HTTP/HTTPS schemes). Consider using a proxy or a dedicated service for webhook delivery that enforces these security policies. | LLM | scripts/watch-events-smart.js:39 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/esdras-sena/typhoon-starknet-account/scripts/load-account.js:6 | |
| MEDIUM | Unpinned npm dependency version Dependency 'starknet' is not pinned to an exact version ('^9.2.1'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/esdras-sena/typhoon-starknet-account/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/esdras-sena/typhoon-starknet-account/package.json | |
| LOW | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for all dependencies (e.g., `starknet: ^9.2.1`). While this allows for minor and patch updates, it means that new versions of these packages could be installed without explicit review. A malicious or vulnerable minor/patch release could introduce security flaws or unexpected behavior. For critical applications, strict pinning (e.g., `9.2.1`) or using a lock file (`package-lock.json`) with a robust CI/CD pipeline is recommended. Consider strictly pinning dependencies to exact versions (e.g., `"starknet": "9.2.1"`) to ensure deterministic builds and prevent unexpected updates. Regularly audit and update dependencies to mitigate known vulnerabilities. Ensure `package-lock.json` is committed and used consistently across environments. | LLM | package.json:9 |
Scan History
Embed Code
[](https://skillshield.io/report/41d4b67c0bb6b90b)
Powered by SkillShield