Skills
skills/cascade-protocol/agentbox/agentbox-provision/Gen Agent Trust Hub

agentbox-provision

Warn

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill's Node.js script (provision.mjs) reads a Solana wallet.json file containing a 64-byte private key array. This exposes highly sensitive financial credentials to the agent's script execution context to sign blockchain transactions for the $5 USDC fee.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of external Node.js packages including @x402/fetch, @x402/svm, and @solana/kit. These packages are used to manage x402-based payments and interact with the Solana blockchain and the api.agentbox.fyi endpoint.
  • [COMMAND_EXECUTION]: The provided code uses process.argv to accept file paths and readFileSync to load them from the disk. This pattern constitutes sensitive file access, as it enables the script to read arbitrary files from the local filesystem if the provided path is not strictly validated.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 4, 2026, 03:12 PM