veil
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill generates and manages a sensitive Veil private key (
VEIL_KEY) stored in~/.clawdbot/skills/veil/.env.veil. It also reads an API key from~/.clawdbot/skills/bankr/config.jsonto authenticate requests to the Bankr API. Access to these credentials is central to the skill's functionality. - [EXTERNAL_DOWNLOADS]: The skill depends on the
@veil-cash/sdkpackage, which is recommended to be installed via NPM or cloned from theveildotcash/veildotcash-sdkGitHub repository. These sources are outside the predefined trusted vendor list. - [COMMAND_EXECUTION]: Numerous bash scripts are used to invoke the
veilCLI and handle blockchain data via system commands such asjq,curl, andnode. - [DATA_EXFILTRATION]: User prompts and unsigned transaction payloads are transmitted to
api.bankr.botfor signing and execution. This endpoint is a vendor-owned resource associated with the skill author. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface where untrusted data may be processed and forwarded to an external API.
- Ingestion points:
scripts/veil-bankr-prompt.shtakes arbitrary command-line arguments as input;scripts/veil-bankr-submit-tx.shreads transaction JSON from an input stream. - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands in the data sent to the Bankr API.
- Capability inventory: The skill can perform network operations via
curland execute private blockchain transactions viaveil_cli. - Sanitization: Data is encoded into JSON using
jq, which prevents structural breakage but does not filter the content for malicious instructions.
Audit Metadata