Skills
skills/bio-xyz/agent-skills/bios-deep-research/Gen Agent Trust Hub

bios-deep-research

Warn

Audited by Gen Agent Trust Hub on Apr 5, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The Python implementation in references/python-script.md attempts to read sensitive credential files from hardcoded system paths, including ~/.openclaw/credentials/cdp_api_key.json and /data/.clawdbot/credentials/cdp_api_key.json, to obtain API keys and wallet secrets.
  • [COMMAND_EXECUTION]: The script references/python-script.md uses the subprocess module to execute shell commands, specifically npm install for dependency management and node to run the local signer script.
  • [EXTERNAL_DOWNLOADS]: The skill performs dynamic package installation at runtime. If the required Node.js modules are missing, it automatically executes npm install to download @coinbase/cdp-sdk, @x402/core, @x402/evm, and viem from the NPM registry.
  • [REMOTE_CODE_EXECUTION]: The skill implements a multi-language execution flow where a Python controller generates inputs for and executes a local Javascript script (research_signer.mjs) using the node runtime to perform EIP-712 and SIWE signing operations.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 5, 2026, 01:45 PM