bitcoin
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill uses
codex exec --full-autoto automatically apply code fixes to the local repository. This represents a significant dynamic execution risk where an LLM-driven tool modifies and validates code without mandatory human-in-the-loop for every change.\n- [CREDENTIALS_UNSAFE] (MEDIUM): The skill specifically targets and handles Bitcoin RPC credentials (BITCOIN_RPC_PASS) and wallet authentication cookies. While the goal is audit and remediation, the access to these secrets is a high-value target. The severity is downgraded from HIGH as this access is essential to the skill's primary function.\n- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted code and configuration files during the 'Audit' phase and passes descriptions of 'issues' to thecodex execcommand. An attacker could place malicious comments or code patterns that mislead the auditor into instructingcodexto inject a backdoor.\n - Ingestion points: Project files containing bitcoin-related strings, imports, and environment variables.\n
- Boundary markers: Absent; findings are directly interpolated into the
codex execprompt string.\n - Capability inventory:
git checkout,export(env vars),codex exec(code modification/execution),pnpm test/typecheck,bitcoin-cli(wallet operations).\n - Sanitization: None; the tool relies on the 'auditor' subagent's output without validation layers.\n- [DATA_EXFILTRATION] (LOW): The skill accesses sensitive information including UTXO sets and transaction tracking. While no network exfiltration to unknown domains was detected, the combination of secret access and full-auto code execution creates an exfiltration surface.
Audit Metadata