Bankr x402 SDK - Balance Queries
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the
@bankr/sdkNode.js package. This package is from an unverified source and is not on the list of trusted external providers. Using third-party SDKs to manage private keys and financial data carries significant supply-chain risk. - INDIRECT_PROMPT_INJECTION (MEDIUM): The skill uses the
client.promptAndWait()method, which maps natural language directly to SDK operations. There is a lack of explicit boundary markers or sanitization logic in the provided implementation. If untrusted input is interpolated into the prompt, it could cause the tool to execute unintended queries or disclose sensitive wallet information. - Ingestion points: The
promptparameter inclient.promptAndWait(SKILL.md). - Boundary markers: None present.
- Capability inventory: Multi-chain balance queries, NFT data retrieval, and external API calls for floor prices.
- Sanitization: None provided in the usage example.
- DATA_EXPOSURE (LOW): While the skill correctly uses environment variables (
process.env.BANKR_PRIVATE_KEY) rather than hardcoding secrets, it is designed to handle and display highly sensitive financial data including balances and NFT holdings across multiple chains.
Audit Metadata