ERC-8004 Reputation
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface by ingesting untrusted data from the ERC-8004 registry and external APIs while maintaining the capability to execute on-chain transactions.
- Ingestion points: The
lookup,feedback, andleaderboardcommands retrieve arbitrary strings (tags, feedback, agent names) from the blockchain and the Agentscan API into the agent's context. - Boundary markers: The skill documentation lacks any mention of delimiters or instructions to ignore embedded commands in the retrieved reputation data.
- Capability inventory: The skill can execute blockchain write operations via
scripts/reputation.py giveandscripts/reputation.py revoke, which utilize private keys/mnemonics. - Sanitization: There is no evidence of sanitization for the retrieved NL strings before they are processed by the agent.
- External Download (MEDIUM): The installation process involves cloning code from an untrusted personal GitHub repository.
- Evidence:
git clone https://github.com/aetherstacey/erc8004-reputation-skill.gitin README.md. - Command Execution (LOW): The skill relies on executing local Python scripts to perform its functions. While standard for skills, this provides the mechanism through which an indirect prompt injection could trigger unintended on-chain actions.
Recommendations
- AI detected serious security threats
Audit Metadata