alchemy
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: The skill provides detailed and legitimate integration guides for blockchain data products, including NFT, token, and portfolio APIs. The instructions focus on standard developer workflows.
- [SAFE]: The skill contains mandatory security instructions for the agent, explicitly prohibiting the use of file manipulation tools (Read, Write, Edit) on sensitive files that might contain private keys. It correctly advises using shell pipes to avoid exposing secrets in logs.
- [COMMAND_EXECUTION]: The skill makes use of standard command-line utilities like
curl,node, andnpxfor wallet management, transaction signing, and network requests. These commands are necessary for the skill's functionality and follow established security best practices for CLI usage. - [EXTERNAL_DOWNLOADS]: The skill references several well-known and industry-standard Node.js packages, such as
viem,mppx, andaxios, for handling blockchain logic and HTTP communication. These are legitimate dependencies for the described tasks. - [SAFE]: The skill addresses potential indirect prompt injection risks by explicitly warning that external blockchain data (such as NFT metadata) should be treated as untrusted and sanitized before use.
- [SAFE]: All external domains used in the skill, including
x402.alchemy.com,mpp.alchemy.com, andx402.bankr.bot, are verified as belonging to the primary service provider or the skill's authoring vendor.
Audit Metadata