cardano-cli-plutus-scripts-operator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses significant 'write' capabilities (signing and submitting on-chain transactions) while ingesting untrusted external data.
- Ingestion points: Processes
script.plutus,redeemer.json, and derivedscript.addrat runtime. - Boundary markers: Absent. There are no delimiters or 'ignore embedded instructions' warnings for the data ingested from files.
- Capability inventory: Extensive use of
cardano-clifor transaction building, signing, and submission, which can have permanent financial side effects. - Sanitization: Relies entirely on manual human verification ('Validate datum/redeemer JSON') without programmatic validation or sanitization of the file contents before they are passed to the CLI.
- [Data Exposure] (MEDIUM): The skill explicitly references and utilizes sensitive file paths like
payment.skey. While necessary for the skill's purpose, the use of a CLI tool with access to private keys presents a risk of credential exposure if the environment is compromised or the agent is redirected. - [Command Execution] (LOW): Uses
cardano-cli,cat, andjqvia shell. These are standard tools for the task, but arbitrary command arguments are constructed using external file content.
Recommendations
- AI detected serious security threats
Audit Metadata