bnbchain-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill contains tools that fetch external, attacker-controllable data intended for LLM analysis, such as contract source code and git diffs. This creates a high-risk surface where malicious instructions in code comments or commit history could override agent behavior. • Ingestion points: 'get_smart_contract_source' and 'get_recent_git_diffs' functions in 'scripts/mcp-client.py'. • Boundary markers: None identified. • Capability inventory: Subprocess execution ('uv run') in 'scripts/mcp-client.py'. • Sanitization: None identified.
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill relies on the 'bnbchain-mcp' package which is not from a trusted organization. The skill does not enforce version pinning or integrity checks, posing a risk if the environment contains a compromised version of the package.
- [Command Execution] (LOW): The script 'scripts/mcp-client.py' uses 'asyncio.create_subprocess_exec' to run external commands. While it uses a safe argument list to prevent direct shell injection, it remains a capability that relies on the security of the underlying environment and the external 'bnbchain-mcp' tool.
- [Metadata Poisoning] (LOW): Discrepancy between the stated author 'BNB Chain' in 'package.json' and the actual owner '0xlucasliao' in '_meta.json'. This is misleading but does not pose a direct technical risk.
Recommendations
- AI detected serious security threats
Audit Metadata