Skills
skills/kukapay/crypto-skills/token-minter/Gen Agent Trust Hub

token-minter

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • Dynamic Execution (MEDIUM): The skill generates Solidity source code at runtime using a Python script and immediately processes it for compilation and deployment.
  • Evidence: scripts/generate_contract.py assembles code which is saved to src/Contract.sol and subsequently handled by forge build and forge create in SKILL.md.
  • Indirect Prompt Injection (LOW): The skill is vulnerable to injection where a user could provide a malicious token name or symbol to break the Solidity syntax or inject unauthorized logic into the contract.
  • Ingestion points: User-provided parameters (name, symbol) in SKILL.md Step 1.
  • Boundary markers: Absent.
  • Capability inventory: Subprocess calls to forge build and forge create (compilation and deployment).
  • Sanitization: Absent; scripts/generate_contract.py uses direct string interpolation (.format()) without escaping or validation.
  • External Downloads (LOW): The skill downloads external code via forge install.
  • Evidence: Downloads OpenZeppelin/openzeppelin-contracts from GitHub.
  • Trust Status: Downgraded to LOW because OpenZeppelin is a verified Trusted Organization.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:18 PM