Trust Assessment
zyfai received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Skill requires user's EOA private key, enabling full wallet control.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill requires user's EOA private key, enabling full wallet control The skill explicitly lists 'Private Key of the user's EOA (the agent must provide this)' as a prerequisite. Providing an EOA's private key grants the skill complete and unrestricted control over the user's wallet, including all funds and assets. This directly contradicts the skill's claim of being 'non-custodial' from the perspective of the agent, as the agent would become a custodian by handling this key. This is a severe credential harvesting risk and an excessive permission request, as the skill could perform any transaction on behalf of the user. Skills should never request or handle raw private keys. Instead, they should integrate with secure wallet providers (e.g., MetaMask, WalletConnect) that handle transaction signing client-side, or operate solely with limited-permission session keys or signed messages that are explicitly approved by the user for specific actions. The skill's architecture should be revised to remove the dependency on the full EOA private key for any operation. | LLM | SKILL.md:45 |
Scan History
Embed Code
[](https://skillshield.io/report/4fdb17b47065e88e)
Powered by SkillShield