zkvm-evaluator
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation explicitly instructs users to install backends using 'curl -L https://sp1.succinct.xyz | bash' and 'curl -L https://risczero.com/install | bash'. This pattern allows for the immediate execution of arbitrary, unverified scripts from the internet with full shell privileges.
- [REMOTE_CODE_EXECUTION]: The core functionality of the skill is designed to load and execute 'test_suite.elf', which is a compiled RISC-V binary provided by an untrusted external 'Client'. Running arbitrary executable binaries from external sources is a high-risk operation that can lead to system compromise.
- [EXTERNAL_DOWNLOADS]: The skill uses tools to fetch verification programs and deliverables from IPFS based on content hashes (CIDs). There is no mechanism described to audit or verify the safety of these files before they are executed or processed, relying solely on the cryptographic integrity of the download rather than the safety of the content.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting and executing content provided by external actors.
- Ingestion points: The programRef and deliverableRef parameters in the zkvm_evaluate_job tool ingest data from external IPFS nodes.
- Boundary markers: No markers or safety instructions are used to separate untrusted content from the agent's logic.
- Capability inventory: The skill possesses the capability to execute binaries and interact with blockchain contracts.
- Sanitization: No sanitization or validation of the external binary's behavior is performed prior to execution.
Recommendations
- HIGH: Downloads and executes remote code from: https://sp1.succinct.xyz, https://risczero.com/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata