skills/aibtcdev/skills/signing/Gen Agent Trust Hub

signing

Fail

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: The stacks-sign and btc-sign commands in signing.ts include a --wallet-password option. Passing sensitive credentials as command-line arguments is inherently insecure because they remain visible in plain text to all users and monitoring processes on the system (e.g., via ps aux). While the documentation correctly warns against this and suggests an environment variable alternative (--wallet-password-env), the presence of the flag itself creates a high risk of credential exposure.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted text data via the --message and --digest flags and uses it as the payload for cryptographic signing using private keys. An attacker could potentially trick an agent or user into signing a malicious message or a transaction-related digest.
  • Ingestion points: User-provided inputs via --message in stacks-sign, btc-sign, and sip018-sign, as well as --digest in schnorr-sign-digest.
  • Boundary markers: Absent. Arguments are processed directly from the CLI input into the signing functions.
  • Capability inventory: Powerful cryptographic functions (signStructuredData, signMessageHashRsv, bip322Sign, schnorr.sign) that authorize identity or value transfers.
  • Sanitization: No validation or content-filtering is performed on the data before signing.
  • [EXTERNAL_DOWNLOADS]: The skill relies on external node packages for core logic, including @stacks/transactions, @stacks/encryption, @noble/curves, and @scure/btc-signer. These are established ecosystem libraries, but they constitute third-party dependencies that must be managed and verified.
  • [SAFE]: The implementation of the schnorr-sign-digest command includes a robust safety feature requiring the --confirm-blind-sign flag. This prevents the automated signing of opaque 32-byte digests without explicit confirmation of the risk.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 15, 2026, 10:51 AM
Security Audit — agent-trust-hub — signing