payment-assistant
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes data from external QR codes and backend API responses, which are untrusted ingestion points for indirect prompt injection. \n
- Ingestion points: Data enters the system through the
--raw_qrparameter and via API responses from the Binance payment gateway. \n - Boundary markers: The
SKILL.mdinstructions explicitly mandate that the AI agent must wrap all user-controlled fields (like payee names and remarks) with marker brackets 「」 to visually isolate them from system text. \n - Capability inventory: The skill has the ability to perform network requests to Binance APIs and execute local commands for clipboard management. \n
- Sanitization: The skill provides robust instructions for the agent to treat API fields as display-only and never interpret them as executable instructions or flow-control modifiers. \n- [COMMAND_EXECUTION]: The script executes shell commands to interact with the system clipboard across different operating systems. \n
- Evidence:
payment_skill.pycallsosascript(macOS),xclip(Linux), andpowershell(Windows) within theQRCodeHandlerclass. \n - Analysis: These commands are used solely to retrieve image data from the clipboard. The command strings use hardcoded paths and arguments, ensuring that no untrusted user input is interpolated into the shell execution environment. \n- [EXTERNAL_DOWNLOADS]: The skill performs network operations to communicate with Binance's official payment APIs. \n
- Evidence: The skill connects to
https://bpay.binanceapi.comby default. \n - Analysis: These operations are directed toward a well-known service associated with the skill's author and are required for the intended functionality of processing payments.
Audit Metadata