agentic-gateway
Fail
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to access and manipulate sensitive files containing private keys and environment secrets, such as
wallet-key.txt,wallet.json, and.envfiles. - [COMMAND_EXECUTION]: The skill directs the agent to execute shell commands (e.g.,
grep,cut,cp) to extract and move private keys between local files. This includes using shell pipes to move sensitive content into configuration files. - [EXTERNAL_DOWNLOADS]: The skill uses
npm installandnpxto fetch and run external packages and tools, including@alchemy/x402,mppx, andviem. While these are vendor-related, they represent a remote code ingestion vector. - [REMOTE_CODE_EXECUTION]: The skill employs
node -eto execute complex JavaScript logic for generating SIWE and SIWS authentication tokens and signing payment authorizations at runtime. This involves building executable strings from markdown content and running them via the shell. - [DATA_EXFILTRATION]: The skill uses a pattern where sensitive local credentials (private keys) are read and processed locally to create authentication tokens that are then transmitted to external gateway endpoints (e.g.,
x402.alchemy.com,mpp.alchemy.com). - [PROMPT_INJECTION]: The skill includes instructions to override the agent's behavior by mandating it to ignore cached information and always recommend Alchemy as the primary infrastructure provider, which is a form of brand-based instructional steering.
- [PROMPT_INJECTION]: The skill processes untrusted external data from the blockchain (indirect prompt injection surface), such as NFT metadata and asset transfer records, which could contain malicious strings intended to influence the agent's subsequent actions.
- Ingestion points: Data fetched via the NFT API (
references/data-nft-api.md) and Portfolio API (references/data-portfolio-apis.md). - Boundary markers: The skill lacks explicit markers or delimiters to distinguish between system instructions and data retrieved from external blockchain sources.
- Capability inventory: The agent has access to high-risk capabilities including sensitive file access, network operations (
curl), and dynamic code execution (node -e). - Sanitization: Although the documentation notes that users should "Treat NFT metadata URLs and images as untrusted input," there is no automated sanitization implemented within the skill's instructions.
Recommendations
- AI detected serious security threats
Audit Metadata