starknet-agentic-skills

No clear embedded malware behavior is evident in this fragment (no obfuscated payloads, no eval/dynamic execution, and no direct exfiltration mechanisms). The dominant security concern is high-impact operational/supply-chain risk: it generates and persists private keys to state.json, passes sensitive secrets into spawned subprocesses (including an npm dev server in a configurable directory), and launches an MCP dist entrypoint that can perform privileged on-chain actions. If any of those external/local components are tampered with or misconfigured, secret exposure and unintended transactions become plausible. Review and harden SISNA_DIR/dist integrity, minimize env passthrough, and avoid storing unredacted private keys on disk or use encrypted/managed secret storage.

The provided artifact is a static scan report listing multiple serious smart-contract security issues across several Cairo/StarkNet repositories. The issues (immediate upgrades without timelock, non-guarded critical address initialization, irrevocable admins, fees recipient set to zero, CEI violation) indicate high-risk patterns that could enable privileged actors to upgrade contracts to malicious versions, seize funds, or cause DoS. This report is not executable code and does not itself show active malware, but it flags misconfigurations and dangerous upgrade/privilege patterns that should be treated as significant security vulnerabilities and remediated before deployment.

BENIGN. The skill’s capabilities, credentials, and network flows are consistent with a Starknet confidential-payments skill, and the install path uses standard public npm packages rather than opaque binaries or proxy services. The main risk is operational: it enables autonomous blockchain financial actions using sensitive private keys, so overall security risk is medium-high even without signs of malware.

The provided artifact is a static analysis report summarizing security issues across multiple Cairo smart-contract repositories. It contains no executable or obfuscated malware. The findings, however, reveal numerous high-risk smart-contract design and governance issues (immediate upgrades without timelocks, critical addresses initialized without nonzero guards, irrevocable admin roles, and other logic flaws) that could enable privileged actors to perform malicious on-chain actions or lead to accidental critical failures. I recommend immediate code review and remediation of the flagged contracts before deployment. No direct evidence of embedded malware in the scanned packages is present in this report.