runes
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill manages Bitcoin runes using standard cryptographic practices and reputable external APIs.
- Interacts with the Unisat Indexer for balance and UTXO data.
- Uses Mempool.space for fee estimation and transaction broadcasting.
- [COMMAND_EXECUTION]: The skill executes local scripts via the
bunruntime for its primary operations, which is the standard execution model for this environment. - Implements subcommands for
balance,utxos, andtransferusing thecommanderlibrary. - [CREDENTIALS_UNSAFE]: The skill handles private keys for transaction signing, but it does so through a local wallet session manager.
- Private keys are accessed from
getWalletManager().getActiveAccount()during the transfer process. - No hardcoded secrets, tokens, or unsafe storage practices were observed; the
UNISAT_API_KEYis correctly handled as an environment variable. - [DATA_EXFILTRATION]: No unauthorized data transmission was detected.
- Sensitive data (private keys) is used locally for signing and never transmitted.
- Only the signed transaction hex is sent to the blockchain broadcast API.
Audit Metadata