strix
Fail
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the user to execute a remote script via piped bash (curl -sSL https://strix.ai/install | bash) in multiple files including SKILL.md, references/commands.md, and scripts/install.sh. This pattern executes unverified code from an external server directly on the host machine.\n- [EXTERNAL_DOWNLOADS]: The installation process fetches a binary from strix.ai and pulls a Docker image (ghcr.io/usestrix/strix-sandbox:0.1.13) from an external registry. These downloads occur outside of verified or trusted ecosystems.\n- [PROMPT_INJECTION]: The skill processes untrusted input from local directories, GitHub repositories, and live URLs, exposing the agent to indirect prompt injection. Attacks could be embedded in the code or websites being scanned.\n
- Ingestion points: Target targets provided via the --target flag in SKILL.md and scripts/run-scan.sh.\n
- Boundary markers: No isolation delimiters or instructions to ignore embedded commands are present when ingesting target data.\n
- Capability inventory: The skill environment permits shell command execution, network access via WebFetch, and browser automation via Playwright-powered Chrome.\n
- Sanitization: No sanitization or filtering of target content is performed before processing by the AI engine.\n- [COMMAND_EXECUTION]: The skill uses several wrapper scripts (scripts/install.sh, scripts/run-scan.sh, scripts/ci-scan.sh) that execute shell commands to interact with the Docker daemon and the strix CLI using user-supplied parameters.
Recommendations
- HIGH: Downloads and executes remote code from: https://strix.ai/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata