dune-mcp-skill
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use
uxcand a linkeddune-mcp-clicommand. These commands are used for legitimate interaction with the documented Dune API endpoint (api.dune.com). - [CREDENTIALS_UNSAFE]: The skill provides clear guidance on secure authentication using environment variables (
DUNE_API_KEY) or secret managers like 1Password (op://). It correctly uses placeholders like{{secret}}instead of hardcoding any actual keys. - [EXTERNAL_DOWNLOADS]: The skill references the official Dune API endpoint (
https://api.dune.com/mcp/v1). These references are necessary for the skill's primary function and target a well-known service provider. - [REMOTE_CODE_EXECUTION]: No patterns of remote script execution or dynamic code evaluation were detected. All execution is limited to pre-defined CLI operations.
- [DATA_EXFILTRATION]: No evidence of sensitive file access or unauthorized data transmission was found. Network activity is confined to the official API domain for the purpose of retrieving blockchain data.
- [PROMPT_INJECTION]: No attempts to override system prompts, bypass safety filters, or extract underlying instructions were found in the skill body or metadata.
- [SAFE]: The validation script (
scripts/validate.sh) is a standard utility for ensuring project structure and documentation consistency. It does not perform any dangerous operations.
Audit Metadata