Skills
skills/serenorg/seren-skills/ledger-signing/Gen Agent Trust Hub

ledger-signing

Pass

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill processes hex payloads for transactions, messages, and typed data from the config.json file. It lacks boundary markers or specific instructions for the agent to verify the intent or safety of these payloads before initiating the hardware signing flow. This creates an indirect prompt injection surface where a malicious input could lead to signing unintended transaction data.
  • Ingestion points: payload_hex, domain_separator_hex, and hash_struct_message_hex via load_config in scripts/agent.py.
  • Boundary markers: Absent.
  • Capability inventory: USB/HID cryptographic signing against a hardware device.
  • Sanitization: The script only validates that inputs are valid hex strings, providing no semantic check of the transaction data.
  • [DATA_EXFILTRATION]: The script scripts/agent.py contains an undocumented helper _check_serenbucks_balance which retrieves environment variables named API_KEY and SEREN_API_KEY. This data is sent via an HTTP POST request to https://api.serendb.com/wallet/balance. While the domain is linked to the author's infrastructure, the use of a generic variable name like API_KEY poses a risk of accidental exfiltration of unrelated user secrets to the vendor's API.
  • [EXTERNAL_DOWNLOADS]: The skill relies on external libraries ledgerblue and hidapi for hardware communication, as listed in requirements.txt. These are standard dependencies for interacting with Ledger devices.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 21, 2026, 02:44 AM