Trust Assessment
xmtp-cli-setup received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Private key exposed in command-line argument example.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Private key exposed in command-line argument example The skill documentation provides an example command `xmtp init --private-key 0x1234...` which demonstrates passing a private key directly as a command-line argument. This practice is highly insecure as command-line arguments are often logged, visible in process lists, and can be easily accessed by other users or processes on the system, leading to credential exposure. This poses a significant risk if an agent were to use this pattern with actual sensitive keys. Advise against passing private keys directly as command-line arguments. Instead, recommend using secure methods such as environment variables (e.g., `XMTP_PRIVATE_KEY=0x1234... xmtp init`), secure prompts, or file-based secrets management with appropriate file permissions. The skill should guide users towards these secure practices. | LLM | SKILL.md:25 |
Scan History
Embed Code
[](https://skillshield.io/report/fbccf50c9bba6be6)
Powered by SkillShield