viem-sweep
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The README.md recommends installation via 'npx skills add melonask/viem-sweep-skills'. The author/organization 'melonask' is not on the trusted organizations list, meaning the source code is unverifiable and managed by an unknown entity.
- INDIRECT_PROMPT_INJECTION (LOW): The skill identifies a significant attack surface for indirect prompt injection if the agent attempts to execute these strategies using external data.
- Ingestion points: Functions in
references/strategies.mdaccept untrusted inputs such astokenAddress,recipient, andprivateKeyas arguments. - Boundary markers: Absent; there are no instructions or delimiters within the code to prevent the agent from misinterpreting inputs as code or commands.
- Capability inventory: The skill utilizes
walletClient.writeContractandadminWallet.sendTransactionto perform on-chain asset transfers. - Sanitization: None; the reference implementations do not include validation or sanitization for addresses or input hex strings before use in sensitive operations.
- DATA_EXPOSURE (SAFE): While the code examples in
references/strategies.mduseprivateKeyparameters (e.g.,privateKeyToAccount(privateKey)), these are standard implementation patterns for the Viem library and do not represent hardcoded secrets or exfiltration logic.
Audit Metadata