Trust Assessment
zkclaw received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Dynamic execution of external markdown file, Direct execution of external shell script via `curl | bash`, Skill requires direct access to `WALLET_PRIVATE_KEY` environment variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Dynamic execution of external markdown file The skill explicitly instructs the agent to 'Fetch and run' an external markdown file (`https://zkclaw.com/heartbeat.md`) periodically. This creates a severe command injection and prompt injection vulnerability, as the content of `heartbeat.md` is untrusted and could contain malicious instructions or code that the agent would execute without prior review. This also poses a data exfiltration risk if the external file instructs the agent to send sensitive data. Avoid instructing the agent to directly 'run' or execute content from external, untrusted URLs. If dynamic content is necessary, it should be fetched and parsed safely by the agent's internal logic, not executed directly. The content should ideally be part of the skill package or undergo strict validation. | LLM | skill.md:60 | |
| CRITICAL | Direct execution of external shell script via `curl | bash` The skill instructs the agent to download and execute a shell script from `https://bun.sh/install` directly via `curl -fsSL ... | bash`. This is a severe command injection vulnerability. A compromised `bun.sh` server or man-in-the-middle attack could lead to arbitrary code execution on the agent's host system, granting an attacker full control. Never instruct an agent to directly execute shell scripts downloaded from external URLs. Runtimes and dependencies should be installed through secure, verified package managers, or provided within a controlled, sandboxed environment. If `bun` is a hard requirement, it should be pre-installed or installed via a more secure, auditable method. | LLM | skill.md:115 | |
| HIGH | Skill requires direct access to `WALLET_PRIVATE_KEY` environment variable The skill explicitly instructs the agent to access `process.env.WALLET_PRIVATE_KEY` and pass it directly to the `ZKClaw` SDK. While this is necessary for the skill's core functionality (signing blockchain transactions), it exposes the agent's private key to the skill's runtime and its dependencies. A malicious or compromised SDK could exfiltrate this highly sensitive credential, leading to loss of funds or unauthorized control of the associated wallet. Agents should ideally use secure credential management systems (e.g., KMS, secure enclaves) that allow signing operations without directly exposing the raw private key to the skill's code. If direct access is unavoidable, ensure the SDK is thoroughly audited, sandboxed, and its integrity verified. Consider using a dedicated, low-value wallet for agent operations. | LLM | skill.md:79 | |
| HIGH | Unpinned dependency `@zkclaw/sdk` introduces supply chain risk The skill instructs to install the `@zkclaw/sdk` package using `bun add @zkclaw/sdk` without specifying a version. This means that any future version of the package, including potentially malicious updates or versions containing new vulnerabilities, could be installed without explicit review. This poses a significant supply chain risk, as a compromised package maintainer or registry could push harmful code. Always pin dependencies to specific, immutable versions (e.g., `bun add @zkclaw/sdk@1.0.0`) or use strict version ranges (e.g., `^1.0.0` with a lockfile). Regularly audit and update dependencies after careful review to mitigate supply chain risks. | LLM | skill.md:118 |
Scan History
Embed Code
[](https://skillshield.io/report/da292931c9663407)
Powered by SkillShield