Skills
skills/keep-starknet-strange/starknet-agentic/cairo-auditor/Gen Agent Trust Hub

cairo-auditor

Warn

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: MEDIUMPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted Cairo source code to generate security reports. This creates an attack surface for indirect prompt injection where a malicious contract could include instructions designed to mislead the AI auditor.\n
  • Ingestion points: Discovers and reads all .cairo files within the provided repository scope via the orchestrator's discovery phase.\n
  • Boundary markers: Source code is wrapped in file path headers and markdown blocks before being bundled for specialist agents.\n
  • Capability inventory: Specialist agents are restricted to returning JSON, but the orchestrator agent has broad tool access including Bash and Read.\n
  • Sanitization: Specialist outputs are validated against a JSON schema and normalized before report generation.\n- [DYNAMIC_EXECUTION]: The skill's preflight bridge script uses dynamic Python loading to execute an optional benchmark detector script from a path computed at runtime.\n
  • Evidence: Uses importlib.util.spec_from_file_location and spec.loader.exec_module in scripts/quality/detector_bridge.py to load benchmark_cairo_auditor.py.\n
  • Context: This functionality is restricted to instances where the skill is run within its full developer repository structure and is used to extend the deterministic scanner's capabilities.\n- [EXTERNAL_DOWNLOADS]: The skill performs network operations to check for updates and fetch security threat intelligence from trusted sources.\n
  • Evidence: Uses curl to access the author's official GitHub repository for version checks and fetches security reports from well-known domains such as starknet.io, code4rena.com, and openzeppelin.com.\n
  • Context: These operations are restricted to reading public data and do not involve direct execution of the downloaded content.\n- [COMMAND_EXECUTION]: The skill relies on shell commands for repository discovery, file bundling, and running its internal analysis and testing scripts.\n
  • Evidence: SKILL.md and various utility scripts use subprocess.run() or direct Bash execution for pipeline orchestration.\n
  • Context: These operations are fundamental to the skill's primary function and appear to be implemented with appropriate safeguards for path resolution and temporary directory management.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 27, 2026, 01:33 PM
Security Audit — agent-trust-hub — cairo-auditor