authenticate-wallet
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill facilitates the storage of private keys and session tokens in plaintext JSON files (e.g.,
~/.config/fibx/session.jsonor~/Library/Preferences/fibx-nodejs/session.json). Plaintext storage of cryptographic private keys is a high-risk practice as it allows any process or user with file system access to compromise the wallet. - [REMOTE_CODE_EXECUTION]: The skill uses
npx fibx@latestto execute CLI commands. This pattern fetches and executes the most recent version of thefibxpackage from the public npm registry at runtime. Running unversioned remote code without integrity checks (like hashes) exposes the user to supply chain attacks if the package or registry is compromised. - [COMMAND_EXECUTION]: The skill executes shell commands with user-supplied parameters (
email,code) without explicit instructions for sanitization or escaping. Theallowed-toolsconfiguration uses wildcards (e.g.,Bash(npx fibx@latest auth login *)), which may allow an attacker to perform command injection by providing malicious input that includes shell metacharacters. - [EXTERNAL_DOWNLOADS]: The skill initiates downloads of the
fibxpackage from the npm registry vianpxduring execution.
Audit Metadata