Skills
skills/aomi-labs/skills/aomi-transact/Snyk

aomi-transact

Fail

Audited by Snyk on Mar 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs embedding secrets in commands (e.g., --private-key 0xYourPrivateKey, --api-key, RPC URL flags) which requires the agent to include secret values verbatim in generated command output, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill, by default, uses the remote backend https://api.aomi.dev at runtime to host conversation state and produce agent responses, so this external URL directly controls the agent's prompts/instructions and is a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to build, sign, and broadcast on-chain EVM transactions and to perform token swaps and wallet operations. It exposes commands for swapping tokens, sending transactions, signing with a private key (via aomi sign --private-key), EIP-712 typed-data signatures, and specifying an RPC URL to broadcast — i.e., direct crypto/blockchain financial execution capabilities.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 13, 2026, 12:01 AM
Issues
3