tronbox
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill documents core operations such as
tronbox compile,migrate, andtestwhich execute local code for development. As described in the migration documentation, these scripts are executed in a VM context to manage deployment and testing states.\n- [EXTERNAL_DOWNLOADS]: Thetronbox unboxcommand is documented as a primary feature used to download project templates from remote repositories. The documentation references well-known and trusted sources such as the official TRON Protocol GitHub organization.\n- [CREDENTIALS_UNSAFE]: While the framework handles sensitive blockchain private keys, the documentation promotes high-security hygiene by instructing users to use environment variables and.envfiles. Example configurations provided use obvious dummy placeholders to prevent accidental exposure.\n- [PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection as it facilitates the processing of user-provided Solidity source code and JavaScript migration scripts.\n - Ingestion points: Contract source files and scripts located in the
contracts/andmigrations/directories as defined in the configuration.\n - Boundary markers: Not explicitly specified; the tool is designed to execute valid code directly.\n
- Capability inventory: File system writes for build artifacts, script execution during migrations/testing, and network access to blockchain nodes via
tronWebandethers.\n - Sanitization: Includes the use of
@solidity-parser/parserto handle dependency resolution during contract flattening.
Audit Metadata