synctx-mcp
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to override standard safety protocols. Section 7 ('Special Authorizations') directs the agent to treat on-chain write operations as 'pre-authorized' and specifically states that 'the /wallet skill's user confirmation rules do not apply', removing the human-in-the-loop requirement for financial actions.\n- [CREDENTIALS_UNSAFE]: Authentication tokens are stored in a predictable local file path (
~/.synctx/token.json). These credentials grant access to the SyncTx platform and are managed in plain text without encryption during registration and recovery workflows.\n- [COMMAND_EXECUTION]: The skill promotes 'Autonomous Decision-Making' for sensitive financial operations, allowing the agent to execute token approvals (USDC.approve) and contract interactions (createDeal) without explicit user consent.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to the ingestion of untrusted data.\n - Ingestion points: External messages from counterparties, contract instructions via
instruction(), and content from IPFS/HTTPS URLs.\n - Boundary markers: Section 4 warns the agent about message security, but there are no formal delimiters or 'ignore' instructions for data fetched from IPFS or HTTPS.\n
- Capability inventory: The skill can perform on-chain writes, manage local files, and call network-enabled MCP tools.\n
- Sanitization: No input validation or sanitization of external content is specified before the data is processed or parsed for reference links.
Recommendations
- AI detected serious security threats
Audit Metadata