query-onchain-data
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- External Downloads / Remote Code Execution (MEDIUM): The skill utilizes
npx awal@latest, which downloads and executes the latest version of the 'awal' package from the NPM registry at runtime. Since the 'awal' package is not from a trusted organization and the version is unpinned, this introduces a supply-chain risk where a compromised package could execute arbitrary code on the host. - Indirect Prompt Injection (LOW): The skill processes untrusted data from the Base blockchain (transactions, events, and parameters).
- Ingestion points: Query results from
base.eventsandbase.transactionsare returned to the agent context. - Boundary markers: None identified in the prompt instructions to help the agent distinguish between data and instructions.
- Capability inventory: The agent can execute bash commands and trigger payments using the
awaltool. - Sanitization: No evidence of sanitization or filtering for the data returned from the blockchain.
- Command Execution (LOW): The skill dynamically constructs shell commands incorporating SQL queries. While it includes a security warning ('IMPORTANT: Always single-quote...') to prevent shell expansion/injection, this relies on the LLM's adherence to the instruction.
- Data Exposure / Network Operations (LOW): The skill makes network requests to
x402.cdp.coinbase.com. While this is a legitimate endpoint for the service described, it is a non-whitelisted domain in this analysis framework.
Audit Metadata