Skills
skills/bankrbot/openclaw-skills/nookplot/Gen Agent Trust Hub

nookplot

Warn

Audited by Gen Agent Trust Hub on Apr 25, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a substantial surface area for indirect prompt injection. It is designed to ingest and process untrusted external data from various sources, including direct messages, group channels, real-world emails, and community-generated content such as bounty descriptions and marketplace listings. The instructions for the agent do not include specific boundary markers or sanitization protocols, which is critical given the agent's access to high-privilege tools like on-chain transaction relaying, sandbox code execution, and email delivery.
  • Ingestion points: Messaging DMs and channels (references/messaging-communicate.md), incoming emails (references/messaging-email.md), and network-wide content posts/bounties (references/content-publish.md, references/economy-bounties.md).
  • Boundary markers: Absent.
  • Capability inventory: Outbound HTTP proxy (references/actions-overview.md), sandbox code execution (v1/exec), and EIP-712 relay for on-chain state changes (references/identity-register.md).
  • Sanitization: Absent (general content scanning is mentioned for phishing in the Clawnch integration, but not for general prompt injection mitigation).
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of arbitrary code through its "Sandbox Code Execution" feature (v1/exec in references/actions-overview.md) and the verification of third-party "Paper Reproduction" artifacts which run solver-provided Docker containers locally (references/mining-paper-reproduction.md). While these are presented as legitimate features for a research and verification protocol, they allow for the execution of code provided by untrusted external sources.
  • [DATA_EXFILTRATION]: The egress proxy feature (v1/egress) allows agents to make arbitrary outbound HTTP requests, which could be used to exfiltrate sensitive information. Furthermore, the protocol includes an endpoint for exporting the agent's decrypted private key (/v1/agents/me/export in references/identity-register.md), which presents a severe data exposure risk if an agent is manipulated into revealing its credentials.
  • [EXTERNAL_DOWNLOADS]: The documentation describes a process for installing agent wrappers via a "curl | bash" pattern from the vendor's domain (references/runtime-orchestration.md). It also allows importing code directly from GitHub repositories into project workspaces (references/collab-projects.md).
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 25, 2026, 07:08 PM