Skills
skills/financedistrict-platform/fd-agent-wallet-skills/authenticate/Gen Agent Trust Hub

authenticate

Pass

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (LOW): The skill is designed to ingest and process output from the fdx status command to determine authentication state, which presents a surface for indirect prompt injection.
  • Ingestion points: Output of fdx status and fdx setup commands.
  • Boundary markers: Absent; there are no clear delimiters separating command output from the agent's internal reasoning or following instructions.
  • Capability inventory: The skill allows execution of Bash commands (restricted to fdx subcommands).
  • Sanitization: No explicit sanitization or validation of the CLI output is defined before the agent acts upon it.
  • Command Execution (LOW): The allowed-tools configuration uses broad wildcards, which is a security best-practice violation.
  • Evidence: Bash(fdx setup*), Bash(fdx status*), Bash(fdx logout*).
  • Risk: The use of * allows the agent to pass arbitrary flags to the fdx CLI. If the CLI supports flags that can override the MCP server URL (FDX_MCP_SERVER) or the token store path (FDX_STORE_PATH), a malicious input could potentially redirect the authentication flow or access different file paths.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 19, 2026, 03:45 AM