fetch-source
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/fetch_sources.shis vulnerable to path traversal.\n - Evidence: The script extracts the
filepathvariable from JSON responses provided by external APIs (Sourcify and Etherscan). This value is used directly to define thetargetpath (target="${OUT_DIR}/${filepath}") for file writing operations viaprintf.\n - Impact: An attacker who controls the response from these services (e.g., by deploying a contract with specific metadata) could provide a path containing directory traversal sequences (like
../). This allows the script to write contents to arbitrary locations on the filesystem, potentially overwriting critical system files or user configurations.\n- [EXTERNAL_DOWNLOADS]: The skill fetches smart contract source code fromsourcify.devandapi.etherscan.ioviacurl.\n - Evidence: Use of
curlto access Sourcify and Etherscan endpoints inscripts/fetch_sources.sh.\n - Context: These are well-known services within the Ethereum development ecosystem used for contract verification.
Audit Metadata