Bankr Dev - Arbitrary Transactions

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's declared capabilities match its implementation: it validates and passes arbitrary transaction data to an execute() helper. The file itself contains no direct network calls or hidden obfuscation, but it grants a high-privilege capability (submit arbitrary calldata and value transfers) while omitting critical details about where and how transactions are signed/broadcast and which endpoints are used. Without auditing the referenced bankr-client and the endpoints it contacts, this skill is a supply-chain risk: it could be abused to perform unauthorized transactions or leak transaction/credential data. Action: treat as suspicious until bankr-client and the network/credential flows are verified. LLM verification: The provided skill code is consistent with its documented purpose and includes reasonable basic validation. There are no direct signs of obfuscation, hardcoded secrets, or explicit malicious code in the fragment. The primary security concern is the missing bankr-client/execute() implementation and its network endpoints — because transaction submission and signing occur there, a compromised or malicious bankr-client could exfiltrate data or perform unauthorized transactions. Treat this skill as h