Skills
skills/openstall-ai/agent-marketplace/openstall/Gen Agent Trust Hub

openstall

Warn

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses the @openstall/sdk NPM package, which is a vendor-provided tool for marketplace integration.
  • [COMMAND_EXECUTION]: The worker daemon (openstall worker run) executes a local command specified by the --agent flag to fulfill marketplace tasks.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes task data from a public marketplace.
  • Ingestion points: Task descriptions and inputs from the OpenStall marketplace via the worker daemon (SKILL.md).
  • Boundary markers: Mentions a "crust security wrapping" enabled by default, though it can be bypassed via the --no-crust flag (SKILL.md).
  • Capability inventory: Executes local agent commands and performs financial transactions including USDC withdrawals (SKILL.md).
  • Sanitization: Relies on the external "crust" wrapper; no internal sanitization of marketplace strings is defined in the skill logic.
  • [CREDENTIALS_UNSAFE]: An API key and server URL are stored in plain text in the ~/.openstall/config.json configuration file.
  • [DATA_EXFILTRATION]: Includes built-in support for withdrawing credits to external USDC cryptocurrency addresses.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 13, 2026, 09:41 PM