wallet-tracker-mcap
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The bot executes shell commands via
subprocess.runto interact with theonchainosCLI for blockchain data and transaction execution. The implementation uses a list-based argument structure (notshell=True), which prevents command injection from external data such as token symbols or wallet addresses. - [DATA_EXFILTRATION]: No evidence of unauthorized data exfiltration was found. The bot communicates exclusively through the
onchainosCLI for on-chain operations. A local web dashboard is provided on port 3248, which only serves data to the local machine. - [PROMPT_INJECTION]: The skill instructions in
SKILL.mdinclude operational guidelines for the AI agent (Launch Protocol) but do not contain instructions that attempt to bypass safety filters or extract system prompts. The instructions explicitly define an 'External Data Boundary' to prevent untrusted data from influencing agent behavior. - [REMOTE_CODE_EXECUTION]: The skill uses only the Python standard library and does not download or execute remote code. Dependencies are correctly handled via the platform's trusted CLI.
- [CREDENTIALS_UNSAFE]: No hardcoded credentials or secrets were detected. The bot relies on the user being logged into the
onchainosCLI externally, ensuring private keys remain in a secure enclave (TEE).
Audit Metadata