bittensor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The installation instructions in
README.mdsuggest usingnpx skills add KennethAshley/bittensor-cli-skill. This source is an untrusted third-party repository outside the permitted trust scope, posing a supply chain risk. - COMMAND_EXECUTION (HIGH): The skill grants the agent the ability to execute shell commands (
python scripts/metagraph.py) and perform sensitive CLI operations (btcli). Combining these capabilities with the ingestion of external, user-controlled data from a decentralized network creates a significant security risk. - Indirect Prompt Injection (HIGH): The skill processes data from the Bittensor metagraph (e.g., validator names and subnet metadata) which is controlled by external network participants.
- Ingestion points: Data from the decentralized network enters the agent context through
metagraph.pyandsubnets.py. - Boundary markers: Absent. There are no delimiters or instructions provided to the agent to ignore potentially malicious content embedded in network data.
- Capability inventory: The agent has access to script execution and the
btclimanagement tool for wallet and registration actions. - Sanitization: Absent. The skill does not implement validation or escaping for data retrieved from the Bittensor network, allowing potentially malicious strings to be treated as instructions.
Recommendations
- AI detected serious security threats
Audit Metadata