ardi
Fail
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's documentation and bootstrap scripts (
scripts/bootstrap.sh,README.md) recommend installing components by piping a remote script to a shell:curl -fsSL https://raw.githubusercontent.com/awp-worknet/ardi-skill/main/install.sh | sh. This script is hosted on the author's GitHub repository and executes with user privileges.\n- [EXTERNAL_DOWNLOADS]: The skill downloads theardi-agentexecutable from GitHub releases during the installation process. Additionally, an automated scan flagged the public RPC endpointhttps://base.meowrpc.com(referenced insrc/rpc.rs) as malicious; however, this is a well-known public service provider.\n- [COMMAND_EXECUTION]: The skill installs a systemd timer and service (ardi-mine.timer,ardi-mine.service) to run mining tasks in the background autonomously. It also executes theardi-agentCLI and is designed to spawn other agent frameworks such as Claude Code or Hermes to perform riddle-solving tasks.\n- [PROMPT_INJECTION]: The skill ingests riddle content from an external coordinator API (api.ardinals.com), which presents a surface for indirect prompt injection. \n - Ingestion points: Riddle data is fetched and processed in
src/cmd/context.rs. \n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt templates (e.g.,
tools/auto-mine/prompt/ardi-mine-tick.md). \n - Capability inventory: The skill can execute shell commands (
src/main.rs) and perform blockchain transactions throughawp-wallet(src/tx.rs). \n - Sanitization: External riddle content is not sanitized before being presented to the agent for reasoning.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/awp-worknet/ardi-skill/main/install.sh - DO NOT USE without thorough review
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata