opensea
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements strong security guidance for handling sensitive information. It instructs users to provide API keys and wallet secrets through environment variables or
.envfiles, which is a standard and safe practice for secret management. - [SAFE]: The skill explicitly addresses the risk of indirect prompt injection. In the 'Security' section of
SKILL.md, it warns the agent to treat all user-generated content from API responses (like NFT descriptions and collection metadata) as untrusted data and not to interpret it as instructions or executable code. - [COMMAND_EXECUTION]: The skill uses shell scripts and the
@opensea/clitool to interact with the OpenSea API. These operations are scoped to the marketplace's official infrastructure (api.opensea.io,stream.openseabeta.com). All scripts include error handling, timeouts, and rate-limiting logic. - [EXTERNAL_DOWNLOADS]: The skill fetches data and transaction calldata from the official OpenSea API. This is the primary purpose of the skill and is performed over secure channels using authorized vendor resources.
- [CREDENTIALS_UNSAFE]: No hardcoded credentials were found. The skill includes placeholders and examples for environment variables but does not leak any real secrets.
Audit Metadata