lista
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's instructions guide the agent to perform shell operations (such as node execution, directory creation, and file writing) that directly incorporate user-provided inputs like wallet addresses, language choices, and search keywords. For example, instructions such as
echo "<ADDRESS>" > ~/.lista/wallet.txtandnode skills/lista/scripts/moolah.js dashboard <address>do not include sanitization logic, creating a risk of command injection if a user provides input containing shell metacharacters (e.g., semicolons, pipes, or command substitution). - [EXTERNAL_DOWNLOADS]: The skill fetches real-time market data, token prices, and protocol metrics from external API endpoints at
https://api.lista.orgusing both curl and a bundled Node.js script (scripts/moolah.js).
Audit Metadata