smart-contract-development
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes a standard, well-known development mnemonic in 'references/testing.md' and 'references/smart-contracts.md' ('denial kitchen pet squirrel other broom bar gas better priority spoil cross') intended for use with the local Thor Solo node authentication.
- [EXTERNAL_DOWNLOADS]: The skill manages the installation of official VeChain SDKs, Hardhat, and OpenZeppelin contracts via npm, and references the official 'vechain/thor' Docker image for node management.
- [COMMAND_EXECUTION]: The skill executes shell commands including 'npm install', 'npx hardhat compile', 'nvm use', and 'docker run' to facilitate the development, compilation, and testing of smart contracts.
- [PROMPT_INJECTION]: The skill processes untrusted Solidity code and documentation, creating a surface for indirect prompt injection. 1. Ingestion points: User-provided smart contract code and Kapa AI documentation lookups. 2. Boundary markers: Absent; there are no explicit delimiters or instructions to ignore embedded commands in processed files. 3. Capability inventory: Subprocess execution of npm, hardhat, and docker tools as defined in SKILL.md and references/testing.md. 4. Sanitization: Absent; the skill does not specify validation or filtering of the code or documentation content before processing.
Audit Metadata