Skills
skills/bankrbot/openclaw-skills/erc-8004/Gen Agent Trust Hub

erc-8004

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The scripts 'register-http.sh', 'register-onchain.sh', 'update-profile.sh', and 'get-agent.sh' use 'node -e' to execute JavaScript code for encoding and decoding registration data. These scripts interpolate shell variables like '$NEW_URI', '$REGISTRATION_URL', and '$DATA_URI' directly into JavaScript string literals. This is a dynamic code execution pattern that is vulnerable to injection; if an input variable contains malicious characters like single quotes or semicolons, an attacker could execute arbitrary JavaScript code within the Node.js process.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through 'get-agent.sh'. This script fetches agent profile data from untrusted external sources, including IPFS gateways and arbitrary HTTP URLs found in blockchain metadata. The content is output to the console without sanitization or boundary markers to distinguish it from trusted instructions. If an AI agent processes this output, it could be influenced by instructions hidden in the profile metadata. This risk is significant because the skill also provides the capability to move funds and interact with smart contracts via the 'bankr' tool.\n
  • Ingestion points: 'scripts/get-agent.sh' (fetches from 'gateway.pinata.cloud', 'ipfs.io', and user-specified URLs).\n
  • Boundary markers: None present; the fetched content is output directly to the user/agent context.\n
  • Capability inventory: Asset bridging and smart contract registration via 'bankr prompt' ('scripts/bridge-to-mainnet.sh', 'scripts/register.sh').\n
  • Sanitization: None present; content is processed via 'jq' or 'echo' without filtering for instructions.\n- [EXTERNAL_DOWNLOADS]: The 'get-agent.sh' script performs network requests to retrieve profile data from external IPFS gateways and HTTP endpoints. While the gateways used (Pinata, IPFS.io) are well-known, the data itself is untrusted and user-controlled.\n- [COMMAND_EXECUTION]: The skill relies on several bash scripts that execute local shell commands and interact with the 'bankr' CLI. While sensitive blockchain operations require a prompt via the 'bankr' tool, the inputs to these prompts are generated dynamically by scripts that may be subject to data manipulation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 06:00 PM