Skills
skills/6fy/lfy-cli/lfy-customer/Gen Agent Trust Hub

lfy-customer

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md and references/search.md direct the agent to execute shell commands using lfy-cli where user-provided input is placed directly into a quoted JSON argument: lfy-cli customer search '{"keywords": "<keywords>"}'.
  • [COMMAND_EXECUTION]: This pattern is vulnerable to command injection. If a user provides a keyword containing a single quote followed by shell separators (e.g., ' ; command ; '), the agent will construct a command that executes unintended shell operations on the host system. The skill lacks instructions for the agent to sanitize, escape, or validate the user input before including it in the shell command.
  • [SAFE]: The skill references the official vendor domain app.6fenyi.com for customer detail links.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 07:06 AM