monitoring-whale-activity
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches real-time cryptocurrency transaction data and market pricing from well-known services including Whale Alert (api.whale-alert.io), CoinGecko (api.coingecko.com), and Etherscan (api.etherscan.io) APIs.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and displays unsanitized strings from external API responses.
- Ingestion points:
scripts/whale_api.pyfetches transaction details, including 'owner' and 'owner_type' labels, from the Whale Alert API. - Boundary markers: There are no boundary markers or explicit instructions provided to the agent to treat the retrieved transaction data as untrusted content.
- Capability inventory: The agent is granted capabilities for
Read,Write,Edit, and restrictedBashexecution, which could be exploited if an attacker-controlled wallet label contains malicious instructions that the agent follows. - Sanitization: The Python scripts do not perform sanitization or filtering on the labels or entity names retrieved from the external data providers.
Audit Metadata