cardano-cli-staking-operator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill directly accesses and utilizes highly sensitive private key files (
payment.skey,stake.skey). While necessary for the stated purpose of a staking operator, providing an AI agent access to raw private keys on disk creates a significant exposure risk where keys could be leaked through tool logs or hijacked by other skills. - [COMMAND_EXECUTION] (MEDIUM): The skill uses broad wildcard permissions
Bash(cardano-cli:*). This allows the agent to execute any command within the Cardano CLI suite, which may exceed the minimum necessary permissions required for staking, potentially allowing broader wallet or node manipulation. - [Indirect Prompt Injection] (HIGH): This skill exhibits a high-risk surface for indirect prompt injection.
- Ingestion points: The skill reads external data from
stake.addrviacatand accepts user/external inputs for<utxo>#<index>,<payment-addr>, and<pool-id-bech32>. - Boundary markers: There are no boundary markers or delimiters used to separate these untrusted inputs from the command logic.
- Capability inventory: The skill possesses the capability to submit transactions to the blockchain via
cardano-cli conway transaction submit. - Sanitization: No sanitization or validation of the input strings is performed before they are interpolated into shell commands. A malicious input could potentially alter the transaction parameters (e.g., change the destination address or reward amount) before signing.
Recommendations
- AI detected serious security threats
Audit Metadata