near-kit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill explicitly supports using
FileKeyStoretargeting~/.near-credentials. This is a standard path for NEAR CLI but contains sensitive, often unencrypted, private keys that an agent could be prompted to leak or misuse. - COMMAND_EXECUTION (HIGH): The
Sandboxutility and thedeployContractfunctionality allow for the execution and deployment of arbitrary WASM code. While intended for testing and development, these tools provide a high-privilege execution surface. - DATA_EXFILTRATION (MEDIUM): The skill facilitates the handling of seed phrases and private keys (e.g., via
generateSeedPhraseandparseSeedPhrase). An agent could be manipulated via prompt injection to exfiltrate these secrets to an external contract or endpoint. - INDIRECT PROMPT INJECTION (HIGH): The skill ingests untrusted data from blockchain contracts via
near.view. - Ingestion points:
near.viewresults, contract event logs, and wallet connection events. - Boundary markers: None identified in the provided documentation or code snippets.
- Capability inventory: Full blockchain write access (send tokens, call methods, delete accounts, add/delete keys).
- Sanitization: No evidence of sanitization of contract-returned data before it reaches the agent context.
- UNVERIFIABLE DEPENDENCIES (MEDIUM): The skill references several external packages such as
@hot-labs/near-connectand@near-wallet-selector/core. While these are from known organizations, the skill also dynamically loads contract WASM files from the local filesystem (fs.readFile("./contract.wasm")), which is a risk if the source of the WASM is not verified.
Recommendations
- AI detected serious security threats
Audit Metadata