cardano-cli-staking
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The script
scripts/cardano-cli.shusesexec "${ARGS[@]}" "$@"to dynamically execute commands. This pattern passes any arguments provided by the AI agent directly to the shell or Docker, which can be exploited if the agent interpolates unsanitized user input into the command strings. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill is configured to pull and run a Docker image from
ghcr.io/intersectmbo/cardano-node. While this is a common community source for Cardano, the organizationintersectmbois not on the predefined list of trusted entities, making the downloaded code unverifiable. - [DATA_EXFILTRATION] (MEDIUM): The Docker execution environment in
scripts/cardano-cli.shmounts the current working directory (-v "$PWD":/work). Because the skill's primary purpose is managing Cardano signing keys (.skeyfiles), this configuration exposes sensitive private cryptographic keys to the container environment. - [PROMPT_INJECTION] (LOW): The skill contains an indirect prompt injection surface.
- Ingestion points: Files like
stake.addrare read usingcatwithin command templates. - Boundary markers: None; the content of these files is directly interpolated into commands.
- Capability inventory: The skill can execute arbitrary CLI commands via the provided shell script or the referenced operator skill.
- Sanitization: No validation or escaping is performed on the data read from local files before it is used in execution.
Audit Metadata