Skills
skills/b-open-io/1sat-sdk/extract-blockchain-media/Gen Agent Trust Hub

extract-blockchain-media

Fail

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/extract.ts is vulnerable to shell command injection because it uses child_process.exec with unsanitized user inputs.\n
  • Evidence: The txid argument is only validated for its length (64 characters), which can be bypassed using shell subshells or backticks within a 64-character payload.\n
  • Evidence: The outputDir argument is resolved to an absolute path but is then concatenated into a command string within double quotes without escaping. This allows an attacker to inject commands by including a double quote and shell metacharacters in the directory path.\n- [EXTERNAL_DOWNLOADS]: The skill instructs users to install an external CLI tool txex using bun add -g txex. This is an unverified third-party dependency.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the ingestion of untrusted blockchain data.\n
  • Ingestion points: Data is retrieved from the BSV blockchain as described in SKILL.md and processed by scripts/extract.ts.\n
  • Boundary markers: Absent. There are no delimiters or instructions provided to the agent to treat extracted content as untrusted data.\n
  • Capability inventory: The skill uses Bash(bun:*) and executes filesystem and shell commands in scripts/extract.ts.\n
  • Sanitization: Absent. Extracted media and text data are not sanitized before being saved or presented to the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 8, 2026, 05:40 PM
Security Audit — agent-trust-hub — extract-blockchain-media