agentation
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by design through its UI feedback mechanism.\n
- Ingestion points: The skill reads untrusted human feedback (comments) from a local server endpoint at
http://localhost:4747/pending.\n - Boundary markers: Content is injected into the agent's context using text markers like
=== AGENTATION: {c} UI annotations ===, but it lacks explicit instructions for the agent to disregard instructions within those annotations.\n - Capability inventory: The skill is permitted to use
Bash,Write,Read, andGrep, providing a significant impact surface if an injection succeeds.\n - Sanitization: The Python snippets provided in the
SKILL.mdhooks directly print thecommentfield into the agent output without any sanitization or escaping.\n- [COMMAND_EXECUTION]: The skill relies on shell command execution for its core lifecycle and platform integration.\n - Platform hooks for Claude Code and Gemini CLI use
curlpiped topython3 -cto process data from the local server.\n - The
setup-agentation-mcp.shscript modifies agent-specific configuration files (e.g.,~/.claude/settings.json,~/.gemini/settings.json) to register hooks and MCP servers.\n- [EXTERNAL_DOWNLOADS]: The skill uses package managers and remote installation tools to set up its environment.\n - It uses
npxto dynamically download and execute theagentation-mcppackage from the NPM registry.\n - It suggests installing the skill via
npx skills add benjitaylor/agentation, which fetches code from a remote GitHub repository.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:4747/pending - DO NOT USE without thorough review
Audit Metadata