validate-address
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses the npx xno-skills command, which triggers the download of the xno-skills package from the NPM registry. This package is not from a trusted organization or well-known service, and the download process requires network access, which is inconsistent with the skill's offline validation claim.
- [COMMAND_EXECUTION]: The validation and QR generation steps involve executing shell commands that incorporate the parameter directly from user input. This pattern is vulnerable to command injection if the input contains shell metacharacters (e.g., semicolons, pipes, or backticks), as no sanitization or escaping instructions are provided for the agent.
Audit Metadata