hydra-head-operator
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill implements
command-dispatch: toolwithcommand-arg-mode: rawin its metadata. This configuration causes the agent to forward user-provided arguments directly to the shell without model mediation or safety filtering. While intended for an 'operator' persona, this bypasses standard LLM reasoning layers. - EXTERNAL_DOWNLOADS (MEDIUM): The script
scripts/hydra-node.shutilizesdocker runto pull and execute theghcr.io/cardano-scaling/hydra-nodeimage. Since thecardano-scalingorganization is not on the predefined trusted list, this is classified as an external dependency download and execution at runtime. - INDIRECT_PROMPT_INJECTION (LOW): The skill is susceptible to indirect injection because it ingests data from external API endpoints and local files which could contain malicious instructions.
- Ingestion points: API outputs from
scripts/hydra-api.shand file contents via theReadtool. - Boundary markers: Absent; no clear delimiters are used to separate data from instructions in the shell output.
- Capability inventory: Permission to execute
Bash(curl, docker, hydra-node) andWritefiles. - Sanitization: None; external responses are returned directly to the agent context.
- DATA_EXFILTRATION (SAFE): Although the skill handles sensitive Cardano and Hydra private keys (
.skfiles), the analysis did not find any patterns suggesting these keys are transmitted to non-whitelisted external domains. Network activity is limited to local API ports and the specified Docker registry.
Audit Metadata