Skills
skills/coinbase/agentic-wallet-skills/send-usdc/Gen Agent Trust Hub

send-usdc

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to fetch and execute the awal package from the NPM registry. This is the standard delivery mechanism for the Coinbase Agent Wallet CLI.
  • [COMMAND_EXECUTION]: Shell commands are used to interact with the wallet for sending tokens, checking balances, and verifying authentication status. The execution is scoped to the awal package as defined in the allowed-tools configuration.
  • [PROMPT_INJECTION]: The skill addresses potential indirect prompt injection and shell injection risks by providing the agent with strict validation requirements for user-provided data.
  • Ingestion points: User-supplied values for amount and recipient in SKILL.md are used as command-line arguments.
  • Boundary markers: The instructions recommend the use of single quotes for amount values to prevent shell variable expansion.
  • Capability inventory: The skill utilizes the Bash tool for all operations, as specified in the allowed-tools section of SKILL.md.
  • Sanitization: Includes explicit regex patterns for validating amounts, Ethereum/Solana addresses, and ENS names, along with instructions to reject inputs containing shell metacharacters.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 04:26 AM