bank-skill
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill includes an
export-private-keyoperation (found inbankskills/wallet.pyand exposed via the MCP server) that returns the decrypted, plaintext private key of the locally managed Ethereum wallet. While intended as a recovery feature, this capability allows for the exposure of critical credentials to the agent's context, where they could potentially be exfiltrated. - [COMMAND_EXECUTION]: The execution runner in
bankskills/runtime/runner.pyusessubprocess.runto execute a local shell script (run.sh). This is the standard entry point for the skill but permits the execution of local system commands. - [EXTERNAL_DOWNLOADS]: The skill performs legitimate network operations to well-known services, including the Wise API (
api.wise.com) for banking tasks and Ethereum RPC endpoints (e.g.,mainnet.base.org) for on-chain transactions. - [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection due to its processing of external data and high-privilege capabilities.
- Ingestion points: Financial transaction data and profile details from the Wise API (
bankskills/core/bank/client.py) and blockchain metadata from RPC calls (bankskills/sweeper.py). - Boundary markers: None identified in the code that handles or displays external API/RPC responses to the agent.
- Capability inventory: Includes significant capabilities such as
send_money(ACH/IBAN transfers),buy_token(Uniswap swaps), andsend_token(asset transfers). - Sanitization: Uses standard address checksumming (
Web3.to_checksum_address), but does not perform sanitization on narrative or descriptive data returned from external financial providers.
- Ingestion points: Financial transaction data and profile details from the Wise API (
Audit Metadata