multi-swap
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill executes
npx starkfi@latest, which downloads and runs the latest version of an external package from the NPM registry at runtime. This introduces a supply chain risk as the executed code is not version-locked and comes from an untrusted third-party source. - [COMMAND_EXECUTION]: The
allowed-toolssection uses the wildcard symbol*(e.g.,npx starkfi@latest multi-swap *), which permits the agent to append arbitrary arguments or additional commands to the execution string. - [COMMAND_EXECUTION]: The command template
npx starkfi@latest multi-swap "<pairs>"interpolates user-controlled strings directly into a shell command. Without rigorous sanitization, characters like;,&, or backticks could be used to execute unauthorized system commands. - [PROMPT_INJECTION]: The skill processes external data through the
pairsparameter, creating an indirect prompt injection surface. - Ingestion points: Input for the
pairsparameter inSKILL.md. - Boundary markers: The input is wrapped in double quotes in the bash template, but there are no instructions to sanitize the content against embedded shell commands.
- Capability inventory: The skill uses the
Bashtool to perform network and transaction operations across its scripts. - Sanitization: There is no logic provided to validate the input format or escape shell metacharacters before the data is passed to the command line.
Recommendations
- AI detected serious security threats
Audit Metadata