cardano-cli-wallets
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Command Execution] (MEDIUM): The skill provides
scripts/cardano-cli.shand instructs the user/agent to make it executable and run it (chmod +x). This script acts as an execution wrapper, which contradicts the 'guidance-only' and 'no execution' claims made in theSKILL.mdfrontmatter and body. - [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The included shell script pulls and executes a Docker image from
ghcr.io/intersectmbo/cardano-node. While IntersectMBO is a legitimate organization in the Cardano ecosystem, it is not on the 'Trusted External Sources' list provided in the security guidelines, making the remote content unverifiable. [TRUST-SCOPE-RULE] does not apply here to downgrade the severity. - [Metadata Poisoning] (MEDIUM): There is a contradiction between the skill's description ('no execution') and its actual content (providing and documenting an execution script). This deceptive metadata can lead to a misjudgment of the skill's security profile.
- [Indirect Prompt Injection] (LOW): Command templates in
SKILL.mdandreference/wallets.mduse shell sub-commands like$(cat base.addr)to interpolate file contents into execution strings. - Ingestion points: Contents of
base.addr,payment.vkey, and other wallet files are read directly into the shell context. - Boundary markers: No delimiters or warnings are used to prevent the execution of malicious instructions if the file contents are attacker-controlled.
- Capability inventory: The skill provides a shell wrapper (
cardano-cli.sh) capable of performing file system operations and network queries. - Sanitization: None; the content is passed directly to the shell for evaluation.
Audit Metadata