litcoin-miner
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation and SDK instructions direct the agent to download a standalone miner script from
https://litcoiin.xyz/litcoin_miner.py. This is an external source outside of established package registries. - [REMOTE_CODE_EXECUTION]: The skill uses the
litcoinPython package andlitcoin-mcpNode package from unverified sources. Additionally, it encourages downloading and running a Python script directly from a remote URL. - [COMMAND_EXECUTION]: The 'Research Mining' feature (
agent.research_mine()) involves the agent generating Python code via an LLM to solve optimization problems and then executing that code locally for testing. This represents dynamic execution of potentially untrusted, machine-generated content without an explicit local sandbox requirement. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through 'Relay Mining' and 'Research Tasks'.
- Ingestion points: Remote research task descriptions and third-party compute marketplace requests.
- Boundary markers: No specific delimiters or safety instructions are mentioned for the local code testing phase.
- Capability inventory: Local Python execution, network access to the protocol API, and smart contract interaction capabilities.
- Sanitization: While the protocol claims the coordinator verifies code in a sandbox before rewarding, the agent is instructed to run the generated code locally for preliminary testing.
Audit Metadata