trade
Warn
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill relies on the
npxutility to fetch thefibxpackage from the npm registry whenever a command is run. This creates a persistent dependency on external content managed outside the skill's direct control. - [REMOTE_CODE_EXECUTION]: The use of
npx fibx@latestconstitutes remote code execution, as the agent downloads and runs executable code from a remote repository at runtime. The use of the@latesttag is particularly risky because it automatically pulls the most recent version, which may contain unvetted or malicious changes. - [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands that interact with blockchain networks to perform token swaps and approvals. This involves high-privilege operations such as spending user funds, which are triggered by external CLI tools.
Audit Metadata