Skills
skills/bankrbot/skills/bankr/Gen Agent Trust Hub

bankr

Warn

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on the execution of the bankr CLI binary to perform wallet operations and interact with the AI agent across various blockchain networks.- [EXTERNAL_DOWNLOADS]: The skill documentation instructs users to install the @bankr/cli package globally via bun or npm. This package is a vendor-owned resource associated with the BankrBot organization.- [REMOTE_CODE_EXECUTION]: The skill exposes the capability to submit raw EVM transactions and arbitrary calldata to several blockchains (Base, Ethereum, Polygon, Unichain) via the /agent/submit endpoint and corresponding CLI commands. Documentation in references/arbitrary-transaction.md and references/sign-submit-api.md confirms that the submit endpoint has no confirmation prompts and executes immediately, allowing for arbitrary logic execution on-chain if transaction data is sourced from untrusted inputs.- [DATA_EXFILTRATION]: The LLM Gateway (llm.bankr.bot) acts as a proxy for multiple LLM providers, transmitting user prompts and context to an external service for model inference, creating a path for potentially sensitive data to leave the local environment.- [PROMPT_INJECTION]: The skill presents a risk for indirect prompt injection due to its broad financial capabilities combined with the ingestion of natural language prompts.
  • Ingestion points: Processes user-provided text through the bankr prompt command and REST API, which may include data retrieved from untrusted web content or market research.
  • Boundary markers: There is an absence of delimited sections or instructions to the agent to ignore embedded commands within processed external data.
  • Capability inventory: The skill can perform high-risk operations including asset transfers, token swaps, leverage positions, and raw transaction submission across multiple chains.
  • Sanitization: There is no documented evidence of input validation or sanitization within the skill files to mitigate the risk of an agent obeying malicious instructions embedded in untrusted data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 5, 2026, 03:50 AM