morpho-cli
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npxto fetch and execute the@morpho-org/clipackage from the official NPM registry. This package is provided by the protocol vendor for querying data and preparing transaction payloads. - [COMMAND_EXECUTION]: All protocol interactions are performed via shell commands. The instructions provide structured schemas for querying vault/market data and preparing transaction objects.
- [SAFEGUARD_OBSERVED]: The skill implements several security boundaries: it explicitly prohibits the agent from handling private keys or signing transactions, mandates checking simulation status (
simulationOk) before presenting results to users, and requires reporting CLI errors directly to the user without attempting workarounds. - [PROMPT_INJECTION]:
- Ingestion points: The agent processes data retrieved from the Morpho protocol (such as vault names and market descriptions) via CLI JSON output.
- Boundary markers: No specific delimiters are used to separate external tool output from the internal prompt context.
- Capability inventory: The agent has the ability to execute shell commands to prepare transactions based on protocol data.
- Sanitization: The skill relies on the structured nature of the CLI's JSON output and does not specify explicit sanitization for string fields returned from the blockchain.
Audit Metadata