illustrated-slides-with-nano-banana
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on
scripts/fluxa-cli.bundle.js, which is an opaque, minified JavaScript bundle. Execution of non-source code prevents auditing of the underlying logic, which is critical for a tool handling financial transactions and private credentials. - [COMMAND_EXECUTION] (MEDIUM): The skill instructs the agent to use the
open "<URL>"command. This pattern is vulnerable to command injection or phishing if an attacker can manipulate the URL through indirect prompt injection or if the shell improperly parses the argument. - [DATA_EXFILTRATION] (LOW): The skill manages highly sensitive data, including
AGENT_TOKENandAGENT_JWT, via environment variables. While necessary for the service, these are high-value targets for potential exfiltration by malicious actors. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to ingest external data from HTTP 402 payloads and payment links (via
curl). This data is subsequently passed to the CLI tool, creating an attack surface for indirect injection. - Ingestion points: External server responses from
curlcommands inX402-PAYMENT.mdandPAYMENT-LINK.md. - Boundary markers: Absent; external payloads are interpolated directly into CLI command strings.
- Capability inventory: Network access, execution of local scripts, and system command execution (
open). - Sanitization: No sanitization or validation of external JSON payloads is described before they are passed to the
x402-v3command.
Audit Metadata