sorin-skill
Fail
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The README provides a link to 'https://tools.saharaai.com/sorin-skills/' for API key acquisition, which has been identified as a malicious URL associated with cryptocurrency scams ('CryptScam') by automated security scanners.
- [COMMAND_EXECUTION]: The skill instructs users to run commands that modify their shell configuration files ('
/.zshrc' and '/.bashrc') to store the 'DEFI_TOOLS_API_KEY'. This practice establishes a persistence mechanism by modifying core system profiles and exposes the credential to any process that can read the shell environment. - [DATA_EXFILTRATION]: The skill transmits the sensitive API key as a Bearer token to 'https://defi-tools-proxy.saharaa.info'. The use of a domain ('saharaa.info') that deviates from the primary setup domain ('saharaai.com') and the vendor's standard naming patterns ('SaharaLabsAI-*.com') suggests possible redirection to untrusted infrastructure.
- [COMMAND_EXECUTION]: The skill relies on 'curl' to execute network requests containing credentials, which may leave sensitive information in process lists or shell history depending on the agent's execution environment.
Recommendations
- AI detected serious security threats
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata