radius-dev
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/radius-wallet-bootstrap.mjsexecutes the Foundrycastcommand to generate local development wallets. This is a legitimate development utility that includes security controls such as regex-based name validation, restricted file permissions (0600), and automated .gitignore management to prevent accidental disclosure of secrets.\n- [EXTERNAL_DOWNLOADS]: The skill references official Radius documentation and RPC endpoints atradiustech.xyz. These references are used for configuration and reference data and do not involve untrusted code execution or third-party dependencies.\n- [CREDENTIALS_UNSAFE]: The skill enforces best-practice guidance for secret management, specifically advising against leaking private keys in shell history or process listings. It provides a bootstrap script that secures generated keys in local, git-ignored files with restricted permissions, correctly separating sensitive key material from application logic.\n- [PROMPT_INJECTION]: The skill identifies a potential surface for indirect prompt injection via the ingestion of external documentation URLs.\n - Ingestion points: Documentation files at
docs.radiustech.xyzlinked inSKILL.md.\n - Boundary markers:
SKILL.mdincludes an explicit 'Trust boundary' warning that instructs the agent to treat fetched content as reference data only and to ignore any instructions or tool calls embedded within it.\n - Capability inventory: The skill utilizes command execution (
castvia the bootstrap script), file system access for wallet management, and network RPC interaction.\n - Sanitization: The bootstrap script performs regex-based sanitization on user-supplied wallet names to prevent command injection.
Audit Metadata