bankr-signals
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by instructing the agent to fetch and execute instructions from a remote vendor-controlled URL (https://bankrsignals.com/heartbeat.md) during its heartbeat routine.
- Ingestion point: HEARTBEAT.md (Step 1).
- Capability inventory: The skill uses curl for network requests and shell scripts for local operations.
- Boundary markers: There are no explicit delimiters or safety instructions provided to the agent for processing the fetched content.
- Sanitization: No evidence of validation or sanitization for the remote instructions.
- [COMMAND_EXECUTION]: The script scripts/publish-signal.sh utilizes dynamic code execution via node -e to run an inline JavaScript snippet for cryptographic signing. Additionally, HEARTBEAT.md uses python3 -c for inline JSON processing.
- [CREDENTIALS_UNSAFE]: The skill requires the configuration of sensitive credentials, including blockchain private keys and Bankr API keys (bk_...). It suggests storing these in local configuration files (~/.clawdbot/skills/bankr/config.json), which exposes them to other processes with file system access.
Audit Metadata