cast
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on spawning subprocesses for numerous local binaries including charms, bitcoin-cli, sign-txs, cancel-msg, and scrolls-nonce to manage transaction logic and blockchain interaction.
- [COMMAND_EXECUTION]: The script cast-autotrade-loop.sh sources external configuration files provided as arguments, which allows for arbitrary shell command execution if the input file is not strictly controlled.
- [CREDENTIALS_UNSAFE]: In cast-cancel-signature.sh, extended private keys (xprv) are read from files and passed as command-line arguments to the cancel-msg tool. This practice can expose sensitive credentials to local system monitoring tools or process listings.
- [DATA_EXFILTRATION]: The scripts cast-sign-and-broadcast.sh and derive-scrolls-address.sh use curl to transmit transaction hex data and fetch address information from user-defined external network endpoints.
Audit Metadata