Skills
skills/subsquid-labs/agent-skills/pipes-template-lending-protocol/Gen Agent Trust Hub

pipes-template-lending-protocol

Fail

Audited by Gen Agent Trust Hub on Feb 23, 2026

Risk Level: CRITICALCOMMAND_EXECUTION
Full Analysis
  • Dynamic Execution (MEDIUM): The file templates/lending-protocol/templates/transformer.ts utilizes the Mustache library to generate executable TypeScript code dynamically.
  • Evidence: The function renderTransformer interpolates user-controlled parameters protocolName and poolAddress into a string template using Mustache syntax {{variable}}.
  • Risk: These variables are placed inside single-quoted string literals in the generated code. If an input contains a single quote (e.g., '), it could escape the string context and allow an attacker to inject arbitrary JavaScript code into the resulting transformer file, which is intended for execution within a Subsquid pipe.
  • External Downloads (SAFE): While an external automated scanner flagged docs.compound.fi as malicious, a manual review of the provided code confirms that this URL is not present in the analyzed skill files.
Recommendations
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 23, 2026, 01:52 AM