near-cli-rs
Fail
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides numerous command templates that require passing highly sensitive secrets like plaintext seed phrases and private keys as command-line arguments (e.g., in
import-account,get-public-key, andcreate-accountsections). Passing secrets in CLI arguments is insecure as they may be visible in process lists, shell history, or application logs. - [CREDENTIALS_UNSAFE]: The
export-accountcommand patterns (near account export-account <ACCOUNT_ID> using-seed-phrase ...) explicitly instruct the agent to print account seed phrases and private keys to the terminal. If an agent executes these, it will expose the credentials directly into the conversation context. - [COMMAND_EXECUTION]: The skill provides a large inventory of powerful shell commands for financial transactions (NEAR/FT/NFT transfers), contract deployment, and account deletion. These capabilities, while intended, represent a high-impact surface if misused.
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It instructs the agent to ingest untrusted user data (such as account IDs, amounts, and JSON arguments) and interpolate them directly into shell commands without providing any guidance on sanitization or boundary markers.
- Ingestion points: User-provided strings for
<ACCOUNT_ID>,<RECEIVER_ACCOUNT_ID>,<SEED_PHRASE>, andjson-argsinSKILL.md. - Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore instructions within these inputs.
- Capability inventory: Full account control via the
nearCLI, including fund transfers, key management, and contract state changes across all documented scripts. - Sanitization: Absent. There is no instruction to validate or escape shell metacharacters in user input before command execution.
Recommendations
- AI detected serious security threats
Audit Metadata