Skill Trust Decision
authenticate-wallet
The skill relies on unversioned npx execution of external npm package with wildcard arguments, posing significant supply chain risk.
Most direct threat evidence
01
Attacker typosquats or compromises 'agnic' npm package supply_chain · SKILL.md
02
Skill executes arbitrary code via 'npx agnic@latest *' when user invokes Execution · SKILL.md
03
Malicious package executes code with same shell:WRITE privileges Impact · SKILL.md
Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
Attacker typosquats or compromises 'agnic' npm package
supply_chain · SKILL.md:8
02
Skill executes arbitrary code via 'npx agnic@latest *' when user invokes
Execution · SKILL.md:8
03
Malicious package executes code with same shell:WRITE privileges
Impact · SKILL.md:8
What drove the risk score up
Supply chain dependency on unversioned npm package +25
Uses 'npx agnic@latest' with no version pin, allowing potential malicious package swap
Wildcard argument passthrough +15
allowed-tools uses '*' wildcard, allowing any agnic subcommand beyond documented ones
Token passed via command line +5
Token visible in process list/history when passed as --token argument
Most important evidence
High Supply Chain
Unversioned npm package execution
The skill uses 'npx agnic@latest' which pulls from npm registry without version pinning. An attacker who compromises the 'agnic' package name (typosquatting, account takeover) could execute arbitrary code.
SKILL.md:8 Pin to a specific version or commit hash, e.g., 'npx [email protected]' or verify package integrity with integrity hash
Medium Doc Mismatch
Wildcard allows undocumented subcommands
The '*' in allowed-tools permits any agnic command, not just the documented auth/status/logout. The skill could silently execute other agnic subcommands not listed in documentation.
SKILL.md:8 Restrict to specific subcommands: 'Bash(npx agnic@latest auth login;npx agnic@latest status --json;npx agnic@latest auth logout)'
Low Credential Theft
Token visible in command line
Passing --token as a command-line argument exposes the credential in process list and shell history.
SKILL.md:11 Prefer environment variable AGNIC_TOKEN which is less exposed, or document this risk explicitly
Declared capability vs actual capability
Shell Pass
Declared WRITE
→ Inferred WRITE
allowed-tools declares Bash(npx agnic@latest *) Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| agnic | @latest | npm | No | No version pinned; arbitrary code execution possible if package compromised |
File composition
1 files · 62 lines
Markdown 1 files · 62 lines
Files of concern · 1
SKILL.md Unversioned npm package execution · Wildcard allows undocumented subcommands · Token visible in command line
Security positives
Skill is simple with minimal attack surface
No hidden functionality detected
No direct access to sensitive files (~/.ssh, ~/.aws, etc.)
No base64 or obfuscated code
No credential exfiltration observed