Skills
skills/hubblevision/polyhub-skills/polyhub_copy/Gen Agent Trust Hub

polyhub_copy

Pass

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the bash tool to execute curl requests. To mitigate command injection risks, it mandates the use of jq for building JSON payloads and implements strict regex validation (e.g., ^[0-9a-fA-F]{24}$) for user-provided identifiers like taskId.
  • [EXTERNAL_DOWNLOADS]: The skill interacts with external endpoints at polyhub.skill-test.bedev.hubble-rpc.xyz and polyhub.hubble.xyz. These domains are consistent with the infrastructure of the author, HubbleVision.
  • [CREDENTIALS_UNSAFE]: The skill requires a POLYHUB_API_KEY for authentication. It includes explicit instructions to never print the key in output and follows standard patterns for managing credentials via environment variables and header injection.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: While the skill communicates with an external API, the data sent (trading configurations and IDs) is consistent with the skill's primary purpose. No patterns of sensitive local file access or unauthorized data harvesting were detected.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 1, 2026, 03:55 PM