Skills
skills/fibrous-finance/fibx-skills/authenticate-wallet/Gen Agent Trust Hub

authenticate-wallet

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill frequently executes npx fibx@latest, which fetches and runs the latest version of the fibx package from the npm registry. Neither the package nor the author ahmetenesdur are on the trusted list, posing a significant supply chain risk.
  • [REMOTE_CODE_EXECUTION] (HIGH): Using npx with an unpinned, unverified package version (@latest) allows for arbitrary code execution on the user's machine whenever the skill is invoked, as the downloaded package can contain any executable scripts.
  • [CREDENTIALS_UNSAFE] (HIGH): The skill's primary purpose is to handle cryptocurrency private keys and email OTPs. While the instructions tell the agent not to log these, the unverified CLI tool itself has full access to the keys during the auth import process and stores them in a local session file.
  • [COMMAND_EXECUTION] (MEDIUM): The skill relies on the Bash tool to execute system-level commands. While the commands are ostensibly restricted to the fibx CLI, the dynamic nature of npx downloads makes the actual impact of these commands unverifiable.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 09:07 PM