Skills
skills/cascade-protocol/sati/sati-sdk/Snyk

sati-sdk

Warn

Audited by Snyk on Mar 7, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill clearly fetches and ingests untrusted public content (e.g., auto-fetching MCP tool/prompt listings from arbitrary MCP endpoints via agent.setMCP and the CLI's "auto-discover" step, fetching registration files via fetchRegistrationFile/ipfs or HTTP, and using hosted REST endpoints like sati.cascade.fyi), and that external content is parsed into agent metadata and used to populate capabilities/behavior (e.g., mcpTools, services) which can materially influence registration, discovery, and subsequent tool use — see "Note: When publishing via CLI... auto-discovers MCP tools", "Auto-Fetch" in docs/guides/mcp-agent.md, and fetchRegistrationFile in SKILL.md.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The SDK/CLI auto-fetches MCP endpoints at runtime (for example, "https://mcp.example.com" or "https://myagent.com/mcp") to load tools, prompts, and resources which directly become agent prompts/behavior, so remote content at those URLs can control agent instructions during publish.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain crypto operations and includes multiple functions that sign and submit Solana transactions (i.e., perform blockchain financial actions). Examples: registerAgent / publish (requires a payer and charges ~0.003 SOL on mainnet), transfer to move ownership, giveFeedback/prepareFeedback/submitPreparedFeedback which use wallets to sign and the server to submit transactions, createKeyPairSignerFromBytes to load a payer keypair, signMessage wallet flows (Phantom/Phantom-like adapters), updateReputationScore (publishes a score on-chain with a payer/provider keypair), and linkEvmAddress with secp256k1 signatures. The SDK repeatedly requires a "payer" or KeyPairSigner and documents transaction costs and gas-related errors (insufficient funds, blockhash expiry). These are specific crypto/blockchain transaction capabilities (wallets, signing, sending on-chain transactions), which fall under the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for Direct Financial Execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 7, 2026, 10:19 PM