Skills
skills/vyntral/arkham-intelligence-claude-skill/arkham-api/Gen Agent Trust Hub

arkham-api

Pass

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute curl and jq commands for API interaction and data parsing. It dynamically creates and executes .jq filter files in the /tmp/ directory to handle complex data structures.
  • [EXTERNAL_DOWNLOADS]: The skill makes network requests to https://api.arkm.com. This is the official endpoint for Arkham Intelligence, which is a well-known service in the cryptocurrency and blockchain industry.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes data from an external API (blockchain entity names, transaction labels, and metadata) which can be influenced by third parties. This untrusted content is then interpolated into the agent's context.
  • Ingestion points: Multiple curl calls to endpoints like /intelligence/address/, /intelligence/entity/, and /token/holders/.
  • Boundary markers: None present in the instructions to delimit external data from agent instructions.
  • Capability inventory: The skill has access to Bash(curl:*), Bash(jq:*), Read, Grep, and Glob.
  • Sanitization: No explicit sanitization or validation of the API response data is performed before it is passed to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 2, 2026, 05:04 PM