celestia
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill documentation identifies an indirect prompt injection surface where the agent ingests untrusted blockchain data and possesses significant capabilities. \n
- Ingestion points: The agent retrieves headers and data shares via the Header and Shares modules, including methods like 'GetSharesByNamespace' (references/core-shares-and-das.md) and 'Subscribe' (references/core-headers.md). \n
- Boundary markers: The documentation does not specify the use of delimiters or instructions for the agent to ignore instructions embedded within retrieved blockchain content. \n
- Capability inventory: The skill describes high-privilege capabilities such as 'SubmitTx', 'SubmitPayForBlob', and 'Transfer' for financial transactions (references/core-state-and-txs.md), as well as node management via CLI. \n
- Sanitization: There is no mention of sanitizing or validating data retrieved from the network before it is processed by the agent. \n- [COMMAND_EXECUTION]: The skill provides instructions for node initialization and management using the 'celestia' CLI tool (references/core-node-types.md). \n- [NO_CODE]: The skill contains no executable scripts or source code files, consisting entirely of markdown reference documentation and metadata.
Audit Metadata