percolator
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Persistence Mechanisms (MEDIUM): The deployment guide (
deployment.md) provides a systemd service unit definition for a 'Keeper Bot'. This establishes long-term persistence on the host machine. Although consistent with the skill's primary purpose of maintaining protocol health, automated execution should be reviewed. - Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill directs users to download and build code from several GitHub repositories (
github.com/aeyakovenko/percolator*) that are not on the predefined trusted list. These repositories contain the core logic and scripts executed viacargoandpnpm. - Data Exposure & Exfiltration (MEDIUM): The configuration and setup guides (
SETUP.md,PERCOLATOR_SKILL_README.md) reference access to sensitive local files, specifically the default Solana wallet path (~/.config/solana/id.json). This constitutes exposure of high-value credentials, though it is typical for the intended use case. - Indirect Prompt Injection (LOW): The skill describes an attack surface where the agent ingests data from external sources such as oracle accounts and market state (
oracles.md). - Ingestion points: Oracle account data and market slab state.
- Boundary markers: Not explicitly defined in the prompt templates.
- Capability inventory: Execution of CLI tools and blockchain transaction submission.
- Sanitization: Code-level validation (price bounds/staleness) is described in the documentation.
Audit Metadata