ton-xstocks
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a shell command (
curl) that interpolates a user-provided variable ({symbol}) directly into the URL string. Without explicit sanitization or validation instructions, this presents a command injection risk where a malicious user could potentially append shell metacharacters to execute unauthorized commands on the agent's host system. - [EXTERNAL_DOWNLOADS]: The skill relies on fetching dynamic configuration data (specifically Jetton master addresses) from a remote third-party API (
api.xstocks.fi) at runtime. While this is functional for the skill's purpose, it creates a dependency where the security and correctness of financial transactions rely on the integrity of external data. - [SAFE]: The skill correctly identifies the official USDT Jetton master address on the TON network (
EQCxE6mUtQJKFnGfaROTKOt1lZbDiiX1kCixRv7Nw2Id_sDs), ensuring trades use the legitimate liquidity pool.
Audit Metadata