turbo-sdk
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): Exposure of cryptographic private keys in the repository file structure.
- Evidence: The file structure in
references/file_structure.mdreveals files named0x20c1DF6f3310600c8396111EB5182af9213828Dc.eth.pk.txtandBTV1zY7njS5an91v9nphCK48d2vnMuecEgHLYiP25ycj.sol.sk.jsoninside thetests/files/directory. Storing raw private keys (Ethereum and Solana) in a repository, even for testing, is a critical security risk as they can be easily compromised. - [CREDENTIALS_UNSAFE] (MEDIUM): Insecure handling of wallet private keys via CLI parameters.
- Evidence: The documentation in
references/x402-turbo-upload.mdprovides examples where users are instructed to pass their private key directly as a command-line argument (e.g.,--wallet "0xYOUR_PRIVATE_KEY"). Secrets passed as CLI arguments are logged in shell history (.bash_history) and are visible to other users/processes via system monitoring tools likeps. - [DATA_EXFILTRATION] (MEDIUM): Capability to read and transmit local files to external endpoints.
- Evidence: The core purpose of the tool is to take a local file path (
--path) and upload its contents to a remote service (https://upload.ardrive.io). While this is the intended functionality, an agent with access to this tool could be manipulated into exfiltrating sensitive system files (e.g.,.env, SSH keys) if not strictly constrained. - [COMMAND_EXECUTION] (LOW): Execution of external scripts and installation of dependencies.
- Evidence: The installation instructions in
references/x402-turbo-upload.mdrequire cloning a remote repository and runningyarnandyarn build, which involves executing third-party code on the host machine.
Recommendations
- AI detected serious security threats
Audit Metadata