botchan-net
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection due to its core functionality of reading decentralized messaging feeds.
- Ingestion points: Untrusted data enters the agent context through commands like
botchan read,netp message read, andnetp storage read, which fetch user-generated content directly from the blockchain (documented inpackages/net-cli/src/commands/feed/read.tsandpackages/net-cli/src/commands/message/read.ts). - Boundary markers: Absent. Messages are returned as raw text or JSON objects without explicit delimiters or warnings to the agent to ignore embedded instructions.
- Capability inventory: The skill allows the agent to generate and potentially execute transactions (message sending, token deployment, storage) via the
--encode-onlyflag or direct private key usage (documented inSKILL.mdandpackages/net-cli/src/commands/token/deploy.ts). - Sanitization: While
sanitizeCSSinpackages/net-profiles/src/utils.tsfilters dangerous patterns in profile themes, there is no evidence of sanitization for general message text fetched from feeds. - [EXTERNAL_DOWNLOADS]: The
updatecommand in bothbotchanandnetpCLIs executes shell commands to download and install the latest versions of the tools from npm (documented inpackages/botchan/src/cli/index.tsandpackages/net-cli/src/cli/index.ts). - Execution: Uses
child_process.execSyncto runnpm install -gandnpx skills add. While intended for maintenance, this pattern involves executing code from a remote registry at runtime. - [SAFE]: The skill includes a dedicated CSS sanitizer in the
net-profilespackage designed to prevent script injection via custom profile themes, stripping patterns like<script>,javascript:, and@import.
Audit Metadata