bankr
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Metadata Poisoning] (MEDIUM): The 'references/llm-gateway.md' file lists several non-existent AI model versions (e.g., 'gpt-5.2', 'claude-opus-4.6', 'gemini-3-pro', 'kimi-k2.5'). This is deceptive content that misleads users or agents regarding the actual capabilities and providers of the service.\n- [Indirect Prompt Injection] (LOW): Multiple files (e.g., 'references/transfers.md', 'references/nft-operations.md') describe features that ingest untrusted data from social handles (@twitter, @farcaster) and external URLs. \n
- Ingestion points: Handle resolution in 'transfers.md' and URL processing in 'nft-operations.md'.\n
- Boundary markers: None documented.\n
- Capability inventory: Fund transfers, raw calldata execution, and prediction market betting.\n
- Sanitization: Not mentioned, leaving the agent vulnerable to instructions embedded in external metadata.\n- [Command Execution] (LOW): The 'references/llm-gateway.md' file describes a CLI command 'bankr llm claude' that forwards arbitrary arguments to a separate 'claude' binary, facilitating potentially unmonitored command execution.\n- [External Downloads] (LOW): The documentation ('references/error-handling.md') instructs users to install a global package '@bankr/cli' from an external registry to use the skill's capabilities.
Audit Metadata