Skills
NYC
skills/coinbase/agentic-wallet-skills/send-usdc/Gen Agent Trust Hub

send-usdc

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill utilizes npx awal@latest to download and execute the awal package directly from the public npm registry.
  • Evidence: The allowed-tools and documentation specify the use of npx awal@latest for all operations.
  • Risk: The package awal is not from a trusted source or organization. Runtime execution of unverified npm packages can lead to arbitrary code execution if the package or registry is compromised.
  • COMMAND_EXECUTION (LOW): The skill constructs shell commands by interpolating user-provided inputs such as amount and recipient.
  • Evidence: The command npx awal@latest send <amount> <recipient> is used to process transactions.
  • Risk: While the documentation warns about single-quoting amounts to prevent bash expansion, there is a risk of shell command injection if the recipient (e.g., an ENS name) or amount contains malicious shell metacharacters and the agent fails to sanitize them before execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 04:36 PM