pmfi-parbitrage
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: Hardcodes the PMFI vault (0xd1ccbc2aa6e2f41817b62448089d4125e62df4fb) and USDC (0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913) addresses to ensure all interactions target verified contracts.
- [COMMAND_EXECUTION]: Submits transactions via a controlled API with strict allowlisting of function selectors (requestDeposit, requestRedeem, approve), preventing the execution of arbitrary contract calls.
- [DATA_EXFILTRATION]: Retrieves the platform API key from a local configuration file (~/.bankr/config.json) for authenticated requests to the hardcoded official API (api.bankr.bot), following established platform patterns for transaction submission.
- [SAFE]: Enforces mandatory pre-flight checks, including vault state verification (paused/shutdown), on-chain minimums, and capacity limits, before requesting user authorization.
- [PROMPT_INJECTION]: Addresses potential indirect injection from RPC data by instructing the agent to treat all external inputs as untrusted and relying on hardcoded logic for transaction parameters. Ingestion points: RPC responses in pmfi_parbitrage.mjs. Boundary markers: Explicit instructions in SKILL.md. Capability inventory: Transaction submission via Bankr API. Sanitization: Hardcoded address and selector validation.
Audit Metadata