bankrskills-supply-chain-2026-05-22
Supply-chain attack in gitlawb skill + false verification guarantee in bankr-signals
What was found
AntFleet's two-model consensus review (Claude Opus 4.7 + GPT-5) ran against 5 skill PRs on [antfleet/bankrskills-bench](https://github.com/AntFleet/bankrskills-bench), surfacing 6 unanimous findings across 4 skills.
---
HIGH — gitlawb skill: unverified curl | sh install
gitlawb/scripts/setup.sh downloads and executes an arbitrary remote shell script with no checksum, version pin, or hash verification:
curl -sSf https://gitlawb.com/install.sh | shAnyone able to compromise gitlawb.com or intercept the connection achieves arbitrary code execution on every user or agent running the skill. Because setup.sh lives in scripts/ and is intended to be invoked by AI agents automatically, the risk propagates to every downstream consumer. The skill's own SKILL.md already documents a safer npm install path (npm install -g @gitlawb/gl) — the setup script should use it.
---
MEDIUM — bankr-signals: verification claim is false
bankr-signals/scripts/verify-trade.sh prints ✓ Transaction verified after only confirming the TX exists and status == 0x1. It never checks that the TX sender matches the signal provider address. The SKILL.md guarantee "You cannot publish a signal for a trade that didn't happen" is therefore false: any subscriber can publish someone else's confirmed TX as their own signal, fabricating a track record.
publish-signal.sh compounds this: TX verification failure is a warning that still publishes the signal. Combined with a hardcoded Base RPC used for all chains (Ethereum/Polygon/Solana TX hashes silently "fail to verify" and are published anyway), the entire on-chain verification claim is misleading.
---
MEDIUM — Agentic Bets: hardcoded routing contradicts own docs
agenticbets/scripts/agenticbets.py hardcodes AGBETS→V2 contract routing and ignores the predictionContract field returned by the Markets API. The skill's own agent-usage.md explicitly states *"Don't hardcode AGBETS→V2 — read predictionContract from the API so future V3/V4 works without changes."* The script will silently route to the wrong contract on any future version upgrade.
A second finding: the claimable command is documented as returning true/false for whether a user has winnings. The implementation prints a static "coming soon" message. Agents following the docs will misinterpret the output and either skip real claims or initiate spurious ones.
---
MEDIUM — Symbiosis: unlimited approval + wrong file extension in docs
symbiosis-swap.py always grants MAX_UINT256 (infinite) token allowance to the Symbiosis router contract, with no user disclosure. If that contract is ever compromised, all previously approved tokens are at risk. Best practice is to approve only the exact swap amount.
Both Python scripts also document usage as ./symbiosis-quote.sh / ./symbiosis-swap.sh — files that don't exist. Users and agents following the embedded help text fail immediately.
Evidence
- Benchmark repo: antfleet/bankrskills-bench
- gitlawb bench PR: antfleet/bankrskills-bench#3 (commit
382c19d0) - bankr-signals bench PR: antfleet/bankrskills-bench#5 (commit
05b20d69) - Agentic Bets bench PR: antfleet/bankrskills-bench#1 (commit
c58482f6) - Symbiosis bench PR: antfleet/bankrskills-bench#4 (commit
4fd8793a) - Upstream repo: BankrBot/skills
- Upstream fix PR (gitlawb): BankrBot/skills#396
- Upstream fix PR (signals): BankrBot/skills#397