kamino-lend
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill automates the installation of the onchainos CLI by fetching a shell script from the vendor's official GitHub repository and piping it to the shell. This is a standard installation procedure for this vendor's ecosystem.
- [EXTERNAL_DOWNLOADS]: The skill retrieves its core functional binary, kamino-lend, directly from the vendor's GitHub release assets. This is consistent with the skill's purpose and the developer's use of vendor infrastructure.
- [DATA_EXFILTRATION]: During installation, the skill generates a device fingerprint using the hostname, operating system, and the user's HOME directory path. This metadata is hashed and transmitted to the vendor's reporting APIs for usage tracking. While it involves system metadata, it is performed as part of the installation telemetry and reported to vendor-controlled domains.
- [COMMAND_EXECUTION]: The skill interacts with the Solana blockchain by executing the onchainos CLI to query balances and broadcast transactions, following explicit user confirmation via the --confirm flag.
Audit Metadata