bank-skill

The module is a legitimate plugin runner but contains a high-impact sink: it executes external shell scripts from skill packages without validation or isolation. The code itself is not obfuscated and contains no embedded malicious payloads, but its design makes it a supply-chain and local-execution risk. If skill packages or SkillRegistry resolution can be influenced by an attacker, arbitrary code execution is possible. Recommended mitigations: validate skill provenance (signatures), enforce allow-lists, sandbox execution (containers, seccomp, less privileges), apply timeouts/resource limits, sanitize environment and arguments, and verify run.sh ownership/permissions.

The skill ambitiously combines traditional banking via Wise with on-chain Base network operations and includes wallet management features. The capabilities align with the stated purpose but introduce significant risk areas. Key concerns include exporting private keys via an action, handling and potentially exposing sensitive credentials (WISE_API_TOKEN, wallet keystore, private keys), and enabling autonomous financial actions without per-action user consent. The presence of private-key export and direct on-chain transactions constitutes high data-sensitivity and potential exfiltration risk if the agent is compromised or if outputs are logged. The design is coherent with its described features, but the credential/credential-flow and autonomous transaction capabilities are disproportionate and high-risk without explicit safeguarding, user prompts, or strict access controls. Overall, the package is SUSPICIOUS to HIGH-RISK (securityRisk ~ 0.8) due to credential exposure patterns and autonomous transaction capabilities; further hardening and explicit per-action approvals are recommended before deeming benign.

The file itself is not obfuscated and contains no obvious hard-coded secrets or eval-based dynamic execution, but it exposes highly sensitive capabilities via FastMCP: irreversible fund transfers and direct private key export. The main risks are: (1) secret exfiltration via export_private_key and returned results; (2) unauthorized fund transfers if FastMCP is accessible to untrusted callers; and (3) dependency risk from bankskills.* modules. Recommended mitigations: remove or restrict export_private_key, enforce strong authentication/authorization and manual confirmation for destructive operations, redact sensitive fields from returned data, add input validation and rate-limiting, and audit the bankskills dependencies (particularly wallet.export_private_key and sweeper modules).