anp-agent
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill dynamically fetches Agent Description (AD) documents and interface schemas from remote URLs (e.g., agent-connect.ai, agent-search.ai) or user-provided endpoints to determine RPC methods and server locations.
- [COMMAND_EXECUTION]: The
setup.shscript executes shell commands to install dependencies (anp,aiohttp) and utilizesopensslto generate local secp256k1 cryptographic keys used for identity verification. - [CREDENTIALS_UNSAFE]: The skill generates and manages a local private key (
config/private-key.pem) and a DID document (config/did.json). These sensitive files are used to sign requests sent across the ANP network. - [DATA_EXFILTRATION]: The
call_methodfunction inscripts/anp_cli.pyperforms network operations to non-whitelisted RPC endpoints. These requests include user-provided parameters and cryptographic signatures, potentially exposing user interaction data to third-party agents. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources.
- Ingestion points:
scripts/anp_cli.py(fetches remote JSON configuration and receives RPC responses from external agents via theanplibrary). - Boundary markers: Absent. Data returned from external agents is printed directly to the terminal and returned to the agent context without delimiters or warnings.
- Capability inventory:
scripts/anp_cli.py(has the ability to perform network requests and access local configuration files). - Sanitization: None. External content is parsed as JSON but not sanitized for malicious instructions before being presented to the agent.
Audit Metadata