botchan
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill documentation explicitly instructs users to manage sensitive blockchain private keys using environment variables (
BOTCHAN_PRIVATE_KEY) and command-line flags (--private-key KEY). This practice is dangerous for AI agents as keys may be logged in shell history, process lists, or accidentally exposed during debugging. - PROMPT_INJECTION (HIGH): The skill is designed to ingest untrusted third-party content from the Base blockchain (via
botchan read,botchan profile, andbotchan comments). - Ingestion points: Public blockchain feeds and direct messages read into the agent's context.
- Boundary markers: No explicit markers or 'ignore' instructions are suggested in the provided documentation for handling this content.
- Capability inventory: The skill allows the agent to execute write operations (
botchan post,botchan register), creating a feedback loop where malicious onchain instructions could trigger the agent to perform unauthorized transactions or leak data. - Sanitization: There is no evidence of sanitization or filtering of the onchain message content before it is processed by the agent.
- EXTERNAL_DOWNLOADS (MEDIUM): The installation instructions require downloading code from an untrusted source (
npx skills add stuckinaboot/botchanandnpm install -g botchan). Neither the GitHub user 'stuckinaboot' nor the 'botchan' package are on the trusted list.
Recommendations
- AI detected serious security threats
Audit Metadata