aicoin-market

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill includes built-in API credentials in lib/defaults.json. These are identified as public free-tier keys provided by the vendor, 'aicoincom', to ensure immediate functionality. As these are vendor-provided public resources, they do not represent a security risk.
  • [SAFE]: All network operations are directed to the official vendor API domain at open.aicoin.com.
  • [SAFE]: The skill manages user configuration via .env files in standard local directories. The update_key action in scripts/coin.mjs allows for secure updates by validating the credentials against the API before writing them to the file.
  • [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it retrieves and displays external data such as news flashes and tweets.
  • Ingestion points: External content is fetched from the AiCoin API in scripts/news.mjs, scripts/newsflash.mjs, and scripts/twitter.mjs.
  • Boundary markers: The retrieved content is processed without explicit delimiters or instructions to the agent to isolate the text from control instructions.
  • Capability inventory: The skill possesses file-write capabilities restricted to its own configuration (.env file) and network access to the vendor's API endpoint.
  • Sanitization: The skill does not perform automated sanitization or filtering of text retrieved from external sources, relying on the agent's internal processing for safety.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 01:40 AM
Security Audit — agent-trust-hub — aicoin-market