Skills
skills/aibtcdev/skills/wallet/Gen Agent Trust Hub

wallet

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: Sensitive credentials including passwords and BIP39 mnemonics are passed as plain-text command-line arguments.
  • Evidence in wallet.ts: Subcommands create, import, unlock, delete, export, and rotate-password all utilize .requiredOption("--password <password>", ...) or .requiredOption("--mnemonic <mnemonic>", ...). Command-line arguments are visible in system process lists (e.g., via ps) and are often recorded in shell history files.
  • [CREDENTIALS_UNSAFE]: The skill outputs sensitive private key material (mnemonics) in plaintext to the standard output.
  • Evidence in wallet.ts: The create and export command actions directly print the mnemonic phrase using printJson. If this skill is executed by an automated agent or logged by a CI/CD system, these secrets will be exposed in logs.
  • [CREDENTIALS_UNSAFE]: The skill relies on sensitive environment variables for configuration.
  • Evidence in wallet.ts: The status command checks for the CLIENT_MNEMONIC environment variable. Environment variables can be leaked through process inspection, error reports, or child process inheritance.
  • [COMMAND_EXECUTION]: The skill facilitates the permanent deletion of sensitive data through CLI commands.
  • Evidence in wallet.ts: The delete command performs file-system operations to remove wallet data based on provided IDs and passwords.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 11:12 PM