flare-fassets
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation in SKILL.md references and recommends a third-party community minting dApp located at 'fassets.au.cc', which has been flagged as malicious by automated security scanners. User interaction with this domain could lead to phishing or asset theft.
- [COMMAND_EXECUTION]: The skill provides several scripts (e.g., reserve-collateral.ts, execute-minting.ts, redeem-fassets.ts) designed to execute high-value financial transactions on the Flare and XRP Ledger networks. If an AI agent executes these scripts with parameters influenced by an attacker, it could result in unauthorized movement of user funds.
- [CREDENTIALS_UNSAFE]: The provided scripts require sensitive environment variables, specifically 'PRIVATE_KEY' for EVM transactions and wallet seeds for XRP Ledger transactions. Storing or processing these credentials within an AI agent's context or environment is a high-risk practice that could lead to full account compromise.
- [PROMPT_INJECTION]: The skill documentation correctly identifies an indirect prompt injection risk associated with processing XRPL payment memos and FDC proofs. While it includes warnings to treat this data as opaque binary content, the reliance on external on-chain data as a source of instruction or parameters creates a persistent vulnerability surface for the agent.
Recommendations
- AI detected serious security threats
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata