Trust Assessment
youtube received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Direct use and transmission of Ethereum private key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct use and transmission of Ethereum private key The skill's setup instructions require the user to provide an Ethereum private key via an environment variable (`PRIVATE_KEY`). This highly sensitive credential is then directly used to initialize the `TeneoSDK` and connect to an external WebSocket service (`wss://backend.developer.chatroom.teneo-protocol.ai/ws`). This practice exposes the private key to the skill's runtime and transmits it to a third-party service, posing a significant risk of credential compromise, unauthorized transactions, or misuse of funds. Avoid direct handling of private keys within AI agent skills. Instead, utilize secure key management solutions, hardware security modules (HSMs), or delegated signing services. If direct signing is absolutely necessary, ensure the private key is never exposed to the agent's environment directly. Consider using a separate, isolated microservice for signing transactions, communicating via secure RPC, or implementing a multi-sig wallet with spending limits to mitigate risk. | LLM | SKILL.md:62 |
Scan History
Embed Code
[](https://skillshield.io/report/ccca8960a5179df2)
Powered by SkillShield