Skills
skills/aomi-labs/skills/aomi-transact/Snyk

aomi-transact

Fail

Audited by Snyk on May 8, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly permits running credential-persisting commands (e.g., aomi secret add NAME=value, aomi wallet set <key>, --api-key flags) when the user supplies the secret in-turn, which requires the LLM to embed the secret verbatim into generated command output and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill explicitly invokes external data sources (e.g., the "default" app's brave_search in references/apps.md and social apps like x and neynar) and the agent is expected to ingest and act on those third‑party/web/social results (quotes, routes, posts) as part of building/simulating/signing transactions, so untrusted user-generated content can materially influence tool decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly invokes the Aomi CLI via on-demand fetching/execution (e.g., "npx @aomi-labs/client", which pulls package code from the npm registry such as https://registry.npmjs.org/@aomi-labs/client) so remote code is fetched and executed at runtime and is a required dependency for the skill to operate.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed for blockchain financial operations: it exposes commands to build, simulate, sign, and submit on-chain transactions (aomi tx list, aomi tx simulate, aomi tx sign), supports EIP-712 payloads, account-abstraction signing flows, wallet configuration (aomi wallet set), and secret ingestion for signing keys. These are concrete crypto/wallet signing and broadcast capabilities (not generic tooling), so it grants direct financial execution authority.

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
May 8, 2026, 06:54 PM
Issues
4