signals
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill exhibits a significant attack surface for Indirect Prompt Injection (IPI) by processing unverified external content to trigger financial transactions.
- Ingestion points: Untrusted data enters the agent context via RSS/Atom feeds, Twitter/X account polling, and external webhooks as documented in
SKILL.md. - Boundary markers: Absent. There are no clear delimiters or instructions provided to the agent to treat signal content as untrusted data rather than instructions.
- Capability inventory: The skill is capable of executing buys and sells on the Solana blockchain (supporting Raydium, Jupiter, and Pump.fun), which involves the movement of real funds.
- Sanitization: Absent. The logic relies on simple keyword and regex matching, which can be bypassed by adversarial content designed to exploit the parsing logic.
- [Data Exposure & Exfiltration] (LOW): The skill requires the
SOLANA_PRIVATE_KEYenvironment variable. While no explicit code for exfiltration is present in the markdown, the handling of high-value credentials in a skill that consumes untrusted data increases the overall risk profile. - [Network Operations] (LOW): The skill references an external domain
clodds.iofor its webhook implementation. This is a non-whitelisted domain and represents a dependency on an untrusted third-party service for signal delivery. - [No Code Provided] (SAFE): The provided skill consists solely of a configuration markdown file. No executable logic (Python, JavaScript, or Shell scripts) was included for a deeper behavioral audit.
Audit Metadata