web3-identity-auth
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through ENS text records. The
ENSResolverToolinscripts/ens_resolver.pyfetches user-controlled data such as descriptions and URLs from the Ethereum Name Service. Because the agent context defined inSKILL.mddoes not utilize boundary markers to separate this untrusted data from instructions, a malicious ENS record could be used to influence the agent's behavior. - Ingestion points: Text records retrieved in
scripts/ens_resolver.pyand interpolated into theAuthenticatedAgentsystem prompt inSKILL.md. - Boundary markers: Absent from the system prompt template.
- Capability inventory: The agent has access to
ENSResolverTooland potentially sensitiveWalletToolfunctionality. - Sanitization: No sanitization or escaping is applied to external data retrieved from ENS resolvers before it is provided to the language model.
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to
api.thegraph.comto facilitate batch resolution of ENS names. This is an expected operation using a well-known service in the blockchain ecosystem and is consistent with the skill's primary purpose.
Audit Metadata