cryptotokenkit
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The documentation provides a shell command that uses sudo to execute a binary as the _securityagent user, which is a high-privilege operation. Evidence: 'sudo -u _securityagent /Applications/TokenHost.app/Contents/MacOS/TokenHost' in SKILL.md.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting data from hardware security tokens without explicit validation or boundary markers. 1. Ingestion points: TKSmartCard.send() and transmit() calls in SKILL.md and references/cryptotokenkit-patterns.md. 2. Boundary markers: Absent; there are no instructions to the agent to treat card data as untrusted or delimited. 3. Capability inventory: The skill has the capability to interact with the system keychain and perform cryptographic signatures/decryption. 4. Sanitization: While the code checks status words for communication success, it lacks logic to sanitize or validate the actual data payload returned from the token.
Audit Metadata