xrpl-dev
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill repeatedly recommends scaffolding new projects using
npx create-xrp. This command downloads and executes a script from the npm registry at runtime. - Evidence: Found in
SKILL.mdandfrontend.md. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill suggests installing external dependencies
xrpl-connectandxrplwhich are not within the defined trusted organization scope. - Evidence: Found in
frontend.mdandresources.md. - [COMMAND_EXECUTION] (LOW): The skill provides instructions for running local development commands such as
pnpm dev,pnpm build, andpnpm lint. - Evidence: Found in
frontend.md. - [DATA_EXFILTRATION] (SAFE): The skill demonstrates best practices by explicitly warning against hardcoding secrets and recommending local signing or delegated wallet signing to prevent secret exposure.
- Evidence: Found in
security.mdandclient-sdk.md. - [PROMPT_INJECTION] (SAFE): No instructions targeting agent behavior override or safety filter bypass were detected.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill defines patterns for building transactions based on user-provided input (e.g., in
TransactionForm.js), creating a surface for processing untrusted data. - Evidence: Surface identified in
frontend.md. No malicious payload present.
Audit Metadata