onchainkit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes
npm create onchain@latestwhich downloads and runs remote code from the npm registry. As the developer (Coinbase) is not on the trusted whitelist, this is classified as execution of unverifiable remote scripts. - [EXTERNAL_DOWNLOADS] (MEDIUM): The script
scripts/setup-environment.pyperforms runtime installation of the@coinbase/onchainkitpackage during environment setup. - [COMMAND_EXECUTION] (LOW): Multiple scripts utilize
subprocess.runto execute system commands for project initialization and validation. While input validation (alphanumeric check) is present for project names, shell command execution via agent-mediated scripts remains a risk factor.
Recommendations
- AI detected serious security threats
Audit Metadata