payments
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests findings from external sources (such as other skills or the state of the repository) and feeds them into an automated code execution tool without sanitization. Ingestion points: Outputs from /stripe, /bitcoin, and /lightning skills, plus repository metadata in package.json. Boundary markers: Absent; instructions are interpolated directly into codex commands. Capability inventory: Filesystem write access via codex exec and financial operations via stripe/bitcoin/lightning CLIs. Sanitization: Absent.\n- Dynamic Execution (HIGH): The use of 'codex exec --full-auto' to generate and apply code fixes based on potentially untrusted finding descriptions constitutes a high-risk execution pattern that can be leveraged for RCE or code poisoning.\n- Data Exposure & Exfiltration (LOW): The skill proactively maps the environment for sensitive API keys (STRIPE_SECRET_KEY, BITCOIN_RPC_URL, etc.). While it does not exfiltrate the values, it identifies high-value targets for an attacker.
Recommendations
- AI detected serious security threats
Audit Metadata