wavybaby
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill directs the agent to install and use a large number of MCP servers and skill marketplaces from unverified community sources (e.g., obra/superpowers-marketplace, K-Dense-AI, GPTomics). Per [TRUST-SCOPE-RULE], these do not fall within the trusted organization list and represent a supply-chain risk.
- REMOTE_CODE_EXECUTION (HIGH): Multiple 'Quick Install' and configuration examples use the
npx -ycommand to download and execute packages at runtime. This bypasses manual review and can lead to immediate execution of malicious code if the package name is typosquatted or the registry is compromised. - COMMAND_EXECUTION (HIGH): The permission templates grant broad access to powerful CLI tools including
docker,npm,pip, andcargo. These tools often execute arbitrary scripts during installation (e.g., npm postinstall) or allow for host privilege escalation (Docker). - DATA_EXFILTRATION (MEDIUM): Permission templates include broad network access via
WebFetch(domain:*)andWebSearchalongside permissions to read sensitive workspace data (GitHub MCP, Notion MCP, Slack MCP). The lack of domain restrictions in several templates creates a clear path for data exfiltration. - INDIRECT PROMPT INJECTION (HIGH): The skill is designed to facilitate the ingestion of untrusted external data (reading PR comments, web search results, and community documentation) while simultaneously granting the agent 'Write' and 'Bash' capabilities. This fulfills the high-severity criteria for Category 8 (External content + write/execute capability) without providing sanitization or boundary markers in the provided templates.
Recommendations
- AI detected serious security threats
Audit Metadata