contract-decode
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches contract ABIs and signature metadata from established blockchain services including Sourcify, Etherscan, and 4byte.directory.- [COMMAND_EXECUTION]: Utilizes the Bash tool to perform local decoding using the cast utility and to process JSON data using python3.- [PROMPT_INJECTION]: The skill processes user-provided hex strings (calldata, revert data) and interpolates them into shell commands. This creates a surface for indirect prompt injection or command injection if the input data is maliciously crafted to escape the expected hex format.
- Ingestion points: SKILL.md (user input variables revertData, calldata, selector).
- Boundary markers: None identified in the workflow.
- Capability inventory: Bash tool for executing cast, curl, and python3 commands (SKILL.md, references/apis.md).
- Sanitization: No explicit shell-escaping or validation logic is defined in the instruction workflow.
Audit Metadata