ens-primary-name
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The helper scripts perform unsafe string interpolation of shell variables into JavaScript code executed via node -e.
- Evidence: In scripts/set-avatar.sh, variables $ENS_NAME and $AVATAR_URL are placed inside single quotes in a Node.js script string. A malicious input containing a single quote followed by JS code could lead to arbitrary command execution.
- Evidence: scripts/set-primary.sh similarly interpolates the $ENS_NAME variable into a node -e command.
- Evidence: scripts/verify-primary.sh interpolates $REVERSE_RESULT, which is data fetched from a remote Ethereum RPC, into a Node.js snippet.
- [EXTERNAL_DOWNLOADS]: The skill interacts with external blockchain data providers and APIs.
- Evidence: It queries the ENS subgraph on The Graph (api.thegraph.com) to resolve names.
- Evidence: It uses the Thirdweb API (api.thirdweb.com) with a secret key to read contract data.
- Evidence: It communicates with multiple public blockchain RPC endpoints for chain interaction.
- [CREDENTIALS_UNSAFE]: The script scripts/set-primary.sh references a THIRDWEB_SECRET_KEY environment variable to authenticate with Thirdweb APIs.
Audit Metadata