Skills
skills/bankrbot/clawdbot-skill/ens-primary-name/Gen Agent Trust Hub

ens-primary-name

Warn

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The shell scripts unsafely interpolate variables into node -e execution blocks, allowing for arbitrary JavaScript execution if an input contains single quotes.
  • In scripts/set-avatar.sh, the variables $ENS_NAME and $AVATAR_URL are inserted into a JavaScript string: const name = '$ENS_NAME'; const avatar = '$AVATAR_URL';. A malicious input could break out of the string and execute unauthorized code.
  • In scripts/set-primary.sh, the $ENS_NAME variable is similarly interpolated into a Node.js execution block without sanitization.
  • In scripts/verify-primary.sh, the variables $REVERSE_RESULT and $ADDRESS are passed directly into JavaScript code blocks, posing a similar injection risk.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 9, 2026, 11:46 PM