Skills
skills/akillness/oh-my-skills/jeo/Gen Agent Trust Hub

jeo

Fail

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The scripts/install.sh script downloads and executes remote installation scripts by piping URLs from https://bun.sh/install and https://plannotator.ai/install.sh directly into bash. These operations are intended to set up the necessary environment for the orchestration tools used by the skill.
  • [COMMAND_EXECUTION]: The script scripts/plannotator-plan-loop.sh utilizes the /dev/tcp bash syntax to perform connectivity checks against local ports. While used here to verify if the plannotator server is listening, this specific shell technique is frequently associated with network-based command execution and reverse shell patterns.
  • [COMMAND_EXECUTION]: Several scripts in the scripts/ directory, such as jeo-project-sync.py and worktree-cleanup.sh, execute shell commands via subprocesses to manage git worktrees, prune stale references, and update local state files.
  • [EXTERNAL_DOWNLOADS]: The skill's installation process fetches several global Node.js packages, including agent-browser, playwriter, and agentation-mcp, which are used for browser-based verification and UI feedback loops.
  • [PERSISTENCE]: The setup scripts (setup-claude.sh, setup-codex.sh, setup-gemini.sh, and setup-opencode.sh) modify global configuration files located in the user's home directory (e.g., ~/.claude/settings.json, ~/.codex/config.toml). This establishes persistent hooks that trigger the skill's logic during the AI agent's lifecycle phases.
  • [INDIRECT_PROMPT_INJECTION]: The skill implements an 'annotate' loop that ingests external UI feedback.
  • Ingestion points: Untrusted data enters the agent context via scripts/claude-agentation-submit-hook.py, which fetches JSON data from a local API endpoint at http://localhost:4747/pending.
  • Boundary markers: The scripts do not appear to use explicit boundary markers or 'ignore' instructions when presenting the 'comment' field from the annotations to the agent.
  • Capability inventory: The skill has significant capabilities, including filesystem writes (via jeo-project-sync.py) and arbitrary command execution (via Bash tool and setup scripts).
  • Sanitization: There is no evidence of sanitization or validation of the text content within the UI annotations before they are processed by the agent to determine code fixes.
Recommendations
  • HIGH: Downloads and executes remote code from: http://localhost:4747/pending, https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 20, 2026, 04:31 AM