gmgn-token
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
gmgn-cli@1.0.1package from the npm registry. This is a vendor-specific tool provided by the skill author and is considered a trusted resource in the context of the skill's functionality. - [COMMAND_EXECUTION]: The skill executes shell commands using the
gmgn-clibinary to fetch token information, security metrics, and holder data. These commands incorporate user-supplied and API-retrieved arguments. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface where data retrieved from external API responses (token addresses) is interpolated into CLI commands.
- Ingestion points: Token addresses are retrieved from external API responses and passed as arguments to the CLI.
- Boundary markers: The documentation includes notes to validate that addresses match expected chain formats (e.g., base58 for Solana, hex for BSC/Base) to mitigate malicious input.
- Capability inventory: Execution of subprocesses via the
gmgn-clitool which interacts with the local system and network. - Sanitization: The CLI tool is documented to enforce input validation at runtime, though the reliance on external API data for command arguments remains a structural risk.
Audit Metadata