megaeth-developer
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill instructs the agent to clone the 'mega-evm' repository from an unverified GitHub organization (megaeth-labs), which is not within the trusted scope.
- REMOTE_CODE_EXECUTION (HIGH): The documentation provides instructions to build and execute code from the unverified repository using 'cargo build', establishing a 'download then execute' risk pattern.
- DATA_EXFILTRATION (HIGH): The instructions reference sensitive private key storage at '~/.evm-wallet.json', which constitutes a high-risk exposure of sensitive file paths.
- PROMPT_INJECTION (HIGH): The skill lacks sanitization and boundary markers for processing untrusted blockchain data from WebSockets and RPC calls, exposing the agent to indirect prompt injection while it possesses write/execute capabilities.
- COMMAND_EXECUTION (MEDIUM): The skill references several internal JavaScript files (e.g., 'src/setup.js', 'src/transfer.js') and command-line tools to perform blockchain operations, but the script files are not provided, making their actual behavior unverifiable.
Recommendations
- AI detected serious security threats
Audit Metadata