Bankr x402 SDK - Token Swaps
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill provides an attack surface where untrusted user input is passed directly to an AI-powered transaction builder and subsequently executed on-chain. Maliciously crafted prompts could lead to unauthorized token transfers or approval of malicious contracts. Ingestion points: 'prompt' parameter in the BankrClient.promptAndWait() function call. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands. Capability inventory: 'wallet.sendTransaction' (Capability to execute blockchain transactions and modify state). Sanitization: Absent; the skill lacks any validation or filtering of the user-provided prompt before processing.
- Unverifiable Dependencies (MEDIUM): The skill relies on the '@bankr/sdk' package. This organization is not in the trusted scope, posing a supply chain risk for a component that handles sensitive private keys and financial operations.
- Command Execution (MEDIUM): The skill's primary function involves generating and executing shell-equivalent high-risk operations (blockchain transactions) through the wallet.sendTransaction method.
Recommendations
- AI detected serious security threats
Audit Metadata