multi-swap
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the latest version of the starkfi package from the npm registry using npx at runtime to ensure the most recent features and routes are used.
- [REMOTE_CODE_EXECUTION]: Executes the starkfi package downloaded from the npm registry, which is the primary mechanism for interacting with the Starknet blockchain as defined in the skill's functionality.
- [COMMAND_EXECUTION]: Performs shell commands through the Bash tool to verify wallet status, check token balances, execute multi-swap transactions, and monitor transaction hashes.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because user-supplied swap pair descriptions (the pairs parameter) are directly interpolated into a shell command: npx starkfi@latest multi-swap "". 1. Ingestion points: The pairs string provided by the user in SKILL.md. 2. Boundary markers: The documentation instructs the agent to wrap the input in double quotes, which provides a weak boundary that can be escaped. 3. Capability inventory: The skill has access to the Bash tool with wildcard arguments as specified in the allowed-tools configuration. 4. Sanitization: No explicit validation or escaping of the user-provided string is defined within the skill before it is executed in the shell.
Audit Metadata