xmtp-agent
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the official XMTP CLI (@xmtp/cli) from the vendor's package repository to facilitate network communication.
- [COMMAND_EXECUTION]: The bridge logic relies on a Bash script that executes system utilities like jq and xmtp, alongside agent backends such as openclaw or claude, to process incoming events and generate responses.
- [PROMPT_INJECTION]: The skill establishes a conduit for indirect prompt injection by processing arbitrary message content from the XMTP network.
- Ingestion points: Untrusted message content is received via the
xmtp conversations stream-all-messagesstream. - Boundary markers: The script attempts to mitigate risks by prepending a restrictive system instruction from
public-prompt.mdto messages originating from non-owner accounts. - Capability inventory: The agent backends intended for use with this bridge (e.g., OpenClaw, Claude Code) typically have broad capabilities, including filesystem access and command execution, which are constrained primarily by the bridge's session isolation and prompt-based guardrails.
- Sanitization: While the script correctly handles JSON parsing with
jqand uses shell quoting for variable expansion, it does not implement content filtering or semantic sanitization of the message body prior to agent processing.
Audit Metadata