try
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is designed to fetch and run code from any user-provided source, including GitHub repositories and npm/pip packages. This creates a direct path for executing arbitrary and potentially malicious third-party code within the agent's environment.
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to set up isolated environments and run exploration scripts. Commands such as
git clone,npm install, andpip installare performed on untrusted inputs, and the resulting code is executed using native runtimes like Python and Node.js. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to download code and dependencies from external, unverified sources defined by the user. These downloads lack integrity verification and do not restrict sources to trusted vendors.
- [PROMPT_INJECTION]: The skill's reconnaissance phase reads untrusted content from cloned repositories to build a 'mental inventory' and plan subsequent steps, which is a surface for indirect prompt injection. 1. Ingestion points: README.md, package.json, pyproject.toml, and source files within the cloned repository. 2. Boundary markers: Absent; the agent integrates file content directly into its context. 3. Capability inventory: The agent has the ability to execute shell commands, install software, and run scripts (as specified in Phase 0 and Phase 2). 4. Sanitization: No sanitization or filtering of external content is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata