blockrun
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires the installation of 'blockrun-llm' via pip. This is an unverifiable third-party package not associated with trusted organizations, posing a supply chain risk.
- [COMMAND_EXECUTION] (HIGH): The skill's frontmatter explicitly enables high-privilege tools including 'Bash(python:)', 'Bash(pip:)', and 'Bash(source:*)', allowing for arbitrary system modification and package installation.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill processes untrusted external content (X/Twitter posts, web search results) and provides it to the agent while high-privilege execution tools are active.
- Ingestion points: Untrusted content enters the context via 'client.chat' when 'search=True' or using 'search_parameters' in 'SKILL.md'.
- Boundary markers: No delimiters or safety instructions are provided to separate external content from system instructions.
- Capability inventory: The agent has full 'Bash' and 'Python' access as defined in the 'allowed-tools' section.
- Sanitization: No sanitization, escaping, or filtering of the external data is implemented before it is processed.
- [DATA_EXFILTRATION] (MEDIUM): The skill manages a crypto wallet at '$HOME/.blockrun/.session'. A malicious version of the required 'blockrun-llm' library or an attacker-controlled prompt could exfiltrate the wallet's private keys or session data.
- [METADATA_POISONING] (MEDIUM): The skill claims to support non-existent models such as 'GPT-5.2' and 'GPT-5-mini', which is misleading and potentially deceptive to users.
Recommendations
- AI detected serious security threats
Audit Metadata