helixa
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/helixa-search.shcontains a command injection vulnerability. It takes the first command-line argument and places it directly inside a Python string literal executed viapython3 -c. An attacker can escape the single quotes by providing a payload like'); <malicious_code>; ('to execute arbitrary Python or shell commands on the host system. - [REMOTE_CODE_EXECUTION]: The script
scripts/check-cred.shpipes output from a network request directly into the Python interpreter (python3 -m json.tool). This pattern of execution is dangerous as it allows a compromised or malicious server to potentially execute arbitrary code if the output is manipulated to bypass the intended module's constraints. - [EXTERNAL_DOWNLOADS]: The skill downloads data and configuration from the external domain
api.helixa.xyzand interacts with the Base blockchain network. While this is expected for the skill's functionality, the lack of sanitization on the downloaded data combined with the execution patterns identified above poses a significant security risk. - [PROMPT_INJECTION]: The skill processes untrusted user-generated content (agent names, narratives, traits) fetched from the Helixa API. The scripts lack boundary markers or sanitization to prevent these strings from being interpreted as instructions by the agent, creating a surface for indirect prompt injection. 1. Ingestion points:
scripts/helixa-get.shand related wrappers. 2. Boundary markers: Absent. 3. Capability inventory: Access to shell commands (curl, cast, python3) and environment variables. 4. Sanitization: Absent.
Recommendations
- HIGH: Downloads and executes remote code from: https://api.helixa.xyz/api/v2/cred/${AGENT_ID} - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata