allium-x402
Fail
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to install the
alliumCLI by downloading a script fromhttp://agents.allium.so/cli/install.shand piping it directly to the shell. This pattern is inherently insecure as it executes remote code without integrity verification and uses unencrypted HTTP, making it susceptible to man-in-the-middle attacks. - [CREDENTIALS_UNSAFE]: Setup instructions in
x402-setup.mddirect the agent to collect sensitive user data—such as private keys and API keys—and pass them as plain-text arguments to theallium auth setupcommand. This practice risks leaking credentials into system logs, shell history, and process monitoring tools. - [EXTERNAL_DOWNLOADS]: During runtime, the skill performs unauthenticated downloads of instructions and documentation from remote URLs, specifically
https://agents.allium.so/skills/andhttps://docs.allium.so/llms.txt. - [COMMAND_EXECUTION]: The skill's primary functionality is delivered through the execution of the
alliumCLI tool, involving the invocation of shell commands with parameters derived from both user input and remote data sources. - [PROMPT_INJECTION]: The skill has a vulnerability surface for indirect prompt injection. It ingests untrusted data from blockchain records and remote documentation (ingestion points:
alliumoutput,llms.txt) and uses it to drive agent logic. The implementation lacks boundary markers to delimit external content and does not perform sanitization or validation of the ingested data before processing it through the agent's capabilities (alliumCLI,curl).
Recommendations
- HIGH: Downloads and executes remote code from: http://agents.allium.so/cli/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata