dune
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to download and execute installation scripts (install.sh and install.ps1) directly from the official vendor repository (github.com/duneanalytics/cli). This behavior is documented as a vendor-aligned resource.\n- [COMMAND_EXECUTION]: During the recovery process, the skill modifies system-level shell configuration files such as
~/.zshrcand~/.bashrcto append PATH exports. On Windows systems, it modifies user environment variables via PowerShell commands.\n- [DATA_EXFILTRATION]: The skill reads from and writes to a sensitive local file at~/.config/dune/config.yamlto manage Dune API keys. To mitigate exposure, the skill includes explicit instructions for the agent to redact these keys from any response.\n- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection due to its core function of ingesting and processing data from external blockchain logs.\n - Ingestion points: Query results and execution summaries (e.g.,
dune query runanddune execution resultsinreferences/query-execution.mdandreferences/dataset-discovery.md)\n - Boundary markers: Absent; there are no specified delimiters or warnings for the agent to ignore instructions embedded within the blockchain data results\n
- Capability inventory: Subprocess execution via
Bash(dune:*)andBash(curl:*)across multiple reference files\n - Sanitization: Explicit instructions in
SKILL.mdto scan for and redact strings resembling API keys from CLI output before presentation.
Audit Metadata