aicoin-market
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill includes built-in API credentials in
lib/defaults.json. These are identified as public free-tier keys provided by the vendor, 'aicoincom', to ensure immediate functionality. As these are vendor-provided public resources, they do not represent a security risk. - [SAFE]: All network operations are directed to the official vendor API domain at
open.aicoin.com. - [SAFE]: The skill manages user configuration via
.envfiles in standard local directories. Theupdate_keyaction inscripts/coin.mjsallows for secure updates by validating the credentials against the API before writing them to the file. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it retrieves and displays external data such as news flashes and tweets.
- Ingestion points: External content is fetched from the AiCoin API in
scripts/news.mjs,scripts/newsflash.mjs, andscripts/twitter.mjs. - Boundary markers: The retrieved content is processed without explicit delimiters or instructions to the agent to isolate the text from control instructions.
- Capability inventory: The skill possesses file-write capabilities restricted to its own configuration (
.envfile) and network access to the vendor's API endpoint. - Sanitization: The skill does not perform automated sanitization or filtering of text retrieved from external sources, relying on the agent's internal processing for safety.
Audit Metadata