cardano-cli-operator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill metadata and execution scripts reference the Docker image 'ghcr.io/intersectmbo/cardano-node:latest'. Although this is the official repository for the Cardano project, the organization is not included in the verified trusted list.
- [Data Exposure & Exfiltration] (LOW): The 'cardano-cli.sh' script mounts the host's current working directory ($PWD) to the container's /work directory, granting the containerized environment read and write access to all files in that directory.
- [Privilege Escalation] (LOW): The use of Docker for command execution typically requires elevated system privileges or membership in a privileged group.
- [Dynamic Execution] (LOW): The wrapper script uses the 'exec' command to forward raw, user-provided arguments directly to the cardano-cli binary or the Docker runner.
- [Indirect Prompt Injection] (LOW): The skill provides a shell execution surface but mitigates risks by explicitly disabling model invocation ('disable-model-invocation: true'). Mandatory Evidence: Ingestion points: raw shell arguments provided via the slash command; Boundary markers: none (uses raw mode); Capability inventory: shell execution via exec in cardano-cli.sh; Sanitization: model bypass and use of quoted bash arguments ($@).
Audit Metadata