stacks
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation includes several commands for executing local binaries and profiling the system performance, some of which require elevated privileges.\n
- Evidence: In
references/advanced-profiling.md, the instructions for generating flame graphs on macOS suggest usingflamegraph --root, which invokes DTrace and requires administrative permissions. Multiplecargo runcommands are provided throughoutreferences/core-testnet-transactions.mdfor interacting with the Stacks CLI.\n- [PROMPT_INJECTION]: The skill enables an agent to interact with external data sources, creating a surface for indirect prompt injection (Category 8).\n - Ingestion points: According to
references/core-rpc-endpoints.mdandreferences/features-event-dispatcher.md, the agent may ingest data from RPC responses and JSON event payloads (e.g., transaction data, contract results, or block events).\n - Boundary markers: No delimiters or protective instructions are present to prevent the agent from accidentally executing instructions found within the ingested blockchain data.\n
- Capability inventory: The skill facilitates the execution of CLI tools (
cargo run) and network requests (curl), providing a path for potential exploitation of injected instructions.\n - Sanitization: There is no evidence of data sanitization or validation protocols for content received from the blockchain network.\n- [EXTERNAL_DOWNLOADS]: The skill provides instructions for obtaining external resources required for node profiling.\n
- Evidence:
references/advanced-profiling.mddescribes downloading a mainnet archive from Hiro, which is a well-known service provider within the Stacks ecosystem.
Audit Metadata