lista-lending
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a sibling skill, 'lista-wallet-connect', using 'child_process.execSync' to process blockchain transactions. The path to the executable is resolved statically relative to the skill's internal directory structure, and command arguments are constructed from validated user inputs and session identifiers.
- [SAFE]: All external dependencies originate from the author's official organizations (@lista-dao) or well-known blockchain libraries (viem). Communications are restricted to established blockchain RPC endpoints and vendor-managed SDKs.
- [SAFE]: Context and configuration are stored locally in the user's home directory ('~/.agent-wallet/'), following the established pattern for this agent's ecosystem. No hardcoded credentials or unauthorized data access patterns were found.
- [SAFE]: Although the skill ingests external protocol data (e.g., vault names and market descriptions), it implements clear agent guidelines requiring human consent and explanation before any transaction, mitigating risks associated with indirect prompt injection.
Audit Metadata