Skills
skills/happy-nova/shared-skills/gigaverse/Gen Agent Trust Hub

gigaverse

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE] (HIGH): The skill stores Ethereum private keys in plaintext. * Evidence: scripts/setup-wallet.sh and scripts/auth.sh write to and read from ~/.secrets/gigaverse-private-key.txt.
  • [COMMAND_EXECUTION] (MEDIUM): Subprocess calls utilize insecure interpolation. * Evidence: scripts/auth.sh and scripts/setup-wallet.sh use node -e with shell variables interpolated into the JS string.
  • [EXTERNAL_DOWNLOADS] (LOW): External dependencies are required for core functionality. * Evidence: Documentation and scripts require viem (npm) and cast (foundry).
  • [PROMPT_INJECTION] (HIGH): Indirect prompt injection surface exists via game API responses (Category 8). * Ingestion: Data from gigaverse.io (API described in references/api.md). * Capabilities: Subprocess execution, file system writes, and automated wallet transactions. * Sanitization: Absent. * Boundary markers: Absent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 11:20 AM