Skills
skills/aicoincom/aicoin-skills/aicoin-market/Gen Agent Trust Hub

aicoin-market

Warn

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The file lib/defaults.json contains hardcoded accessKeyId and accessSecret credentials used for accessing the AiCoin API. Although documented as public free-tier keys, they represent embedded credentials within the skill source.
  • [CREDENTIALS_UNSAFE]: The script scripts/coin.mjs implements an update_key action that allows the agent to write user-provided API credentials directly into .env files. While intended for tool configuration, this provides a mechanism for modifying sensitive environment files on the local system.
  • [COMMAND_EXECUTION]: The skill relies on executing multiple Node.js scripts (market.mjs, coin.mjs, news.mjs, etc.) to perform its functions. These scripts are granted access to read and write to the local file system (specifically .env files) and perform network requests to the vendor's API.
  • [DATA_EXFILTRATION]: The api_key_info action in scripts/coin.mjs reads local .env files and returns metadata, including partial key previews and the absolute file path, to the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 3, 2026, 06:42 AM