meme-trench-scanner
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation and logs refer to an installation script from 'onchainos.com', which is the official domain for OKX's onchainos platform. This reference is used to guide users on setting up the necessary CLI environment and is not executed automatically by the skill's scripts.
- [COMMAND_EXECUTION]: The 'scan_live.py' and 'risk_check.py' scripts use the subprocess module to interact with the 'onchainos' CLI. Arguments are passed as a list to prevent shell injection vulnerabilities. A single instance of 'shell=True' is used in 'scan_live.py' for a local port cleanup operation using a hardcoded configuration value, which poses no significant security risk.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted token data (symbols, descriptions) from various Solana launchpads.
- Ingestion points: In 'scan_live.py', token metadata is fetched via 'memepump_token_list' and 'trades' functions.
- Boundary markers: Absent; token data is displayed directly on the dashboard and logs.
- Capability inventory: The skill can execute token swaps via the 'onchainos' CLI using 'subprocess.run'.
- Sanitization: External strings are passed as individual arguments in a command list to the subprocess module, preventing them from being interpreted as shell commands.
Audit Metadata