Trust Assessment
usdchackathon received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 0 critical, 8 high, 1 medium, and 0 low severity. Key findings include Hardcoded Bearer Token detected, Suspicious domain `gitpad.exe.xyz` recommended for code hosting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:91 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:208 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:226 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:230 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:96 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:213 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:231 | |
| HIGH | Hardcoded Bearer Token detected A hardcoded Bearer Token was found. Secrets should be stored in environment variables or a secret manager. Replace the hardcoded secret with an environment variable reference. | Static | skills/swairshah/crypto-hackathon/SKILL.md:235 | |
| MEDIUM | Suspicious domain `gitpad.exe.xyz` recommended for code hosting The skill recommends using `gitpad.exe.xyz` for code hosting and instructs users to save credentials for it. The `.exe` top-level domain (TLD) is highly unusual for a web service and could be indicative of a typosquatting attempt, phishing, or an attempt to mislead users into thinking it's a local executable. Users are also instructed to save their password to `~/.gitpad_password`, which, if `gitpad.exe.xyz` is malicious, could lead to credential compromise. Investigate the legitimacy and security of `gitpad.exe.xyz`. If it is not a legitimate and secure service, replace the recommendation with a trusted alternative (e.g., GitHub, GitLab) or remove the recommendation entirely. Additionally, advise users against saving passwords in plain text files. | LLM | SKILL.md:100 |
Scan History
Embed Code
[](https://skillshield.io/report/cc9dc450caf8c04c)
Powered by SkillShield