confidential
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill makes extensive use of
npx starkfi@latest, which downloads and executes the latest version of thestarkfipackage from the npm registry at runtime. This introduces a risk of executing unverified code from an external source. - [EXTERNAL_DOWNLOADS]: The use of
npxwithout pinned versions ensures that external code is fetched and executed during every session, which is a supply chain risk for an unverified package. - [DATA_EXFILTRATION]: The skill manages highly sensitive data, specifically Tongo private keys used for confidential transfers.
- The skill instructs users to pass the private key as a command-line argument:
npx starkfi@latest conf-setup --key <TONGO_PRIVATE_KEY>. This exposes the secret key to system process listings and shell history. - The skill references a sensitive local file path for credential storage:
~/.local/share/starkfi/confidential.json. - [COMMAND_EXECUTION]: The skill is configured with multiple
allowed-toolsthat grant the agent the ability to execute shell commands using theBashtool, including dynamic commands with wildcards (*). - [INDIRECT_PROMPT_INJECTION]: The skill processes output from external commands (e.g.,
conf-balance,tx-status) to inform agent decisions. - Ingestion points: Output from
npx starkfi@latestcommands (SKILL.md). - Boundary markers: Absent.
- Capability inventory: Full subprocess execution via Bash (SKILL.md).
- Sanitization: No evidence of output sanitization or validation before processing.
Audit Metadata