straitsx
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill content is restricted to documentation and reference material for the StraitsX API. No executable scripts are included in the skill distribution.
- [EXTERNAL_DOWNLOADS]: Instructions are provided to install the official StraitsX Node.js SDK using
npx api install "@straitsx/v1-CARDS#3dwuze2vmets10z5". This command fetches the official vendor SDK hosted on the well-known Readme platform. - [DATA_EXFILTRATION]: Authentication methods are documented using safe placeholders such as
<your_client_id>,<your_client_secret>, andTOKEN. The skill does not access sensitive local file systems or perform unauthorized data transfers. - [PROMPT_INJECTION]: The skill defines a surface for indirect prompt injection via the processing of external webhook data and authorization requests.
- Ingestion points: Incoming request payloads for the Remote Host Authorization (RHA) and Webhook endpoints, specifically within fields like
metadata,remarks,message, anddescription. - Boundary markers: None identified in the reference material.
- Capability inventory: High-privilege card management operations including creation, status modification, PIN setup, and financial transaction approval.
- Sanitization: No explicit sanitization or input validation logic is detailed in the documentation for handling external strings.
Audit Metadata