agentation
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill configures platform-specific hooks (e.g., UserPromptSubmit, AfterAgent) that pipe data from a local network endpoint (http://localhost:4747/pending) directly into a Python interpreter. This pattern of piping network-sourced data to an interpreter is a high-risk vector for execution of arbitrary code if the local server is compromised.
- [COMMAND_EXECUTION]: The included setup-agentation-mcp.sh script programmatically modifies agent configuration files in the user's home directory (e.g., ~/.claude/claude_desktop_config.json, ~/.gemini/settings.json) to register the agentation-mcp server and inject execution hooks.
- [PROMPT_INJECTION]: The skill defines a watch-loop workflow where the agent is explicitly instructed to acknowledge and fix code based on comments found in UI annotations. 1. Ingestion points: http://localhost:4747/pending. 2. Boundary markers: Delimiters like '=== AGENTATION ===' are present in the processing script. 3. Capability inventory: Bash, Write, Read, Grep, Glob. 4. Sanitization: Absent; data is printed to stdout for agent ingestion without filtering. This creates an indirect prompt injection surface.
- [EXTERNAL_DOWNLOADS]: The skill's installation process relies on fetching and executing code from an external third-party repository (benjitaylor/agentation) via npx and npm, introducing supply chain risks as the source is not associated with the skill's stated author (akillness).
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:4747/pending - DO NOT USE without thorough review
Audit Metadata