buying-signals
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the agent to install the
@alavida/clipackage from npm. This package is not managed by a verified trusted organization (e.g., Anthropic, Google, Microsoft), introducing a third-party dependency risk. - COMMAND_EXECUTION (MEDIUM): The skill requests wildcard permissions for the
alavidabinary (Bash(alavida *)). This allows the execution of any subcommand, includingauth,run, andregistry, which could lead to unauthorized credential handling or unexpected tool behavior if the binary is compromised. - PRIVILEGE_ESCALATION (MEDIUM): The use of
npm install -gsuggests a requirement for global system access, which typically requires administrative or root privileges (sudo). - INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to process external data points like company names and social media profiles which could contain malicious instructions.
- Ingestion points: The
--inputflag accepts JSON objects containing company and person metadata, and can also read from a localcompanies.jsonfile. - Boundary markers: None provided in the command structure; the CLI treats input values as literal data for analysis.
- Capability inventory: The skill utilizes
Bash(alavida *)to send this data to a remote API. - Sanitization: No sanitization of the input fields (e.g.,
company_name,full_name) is documented before the data is passed to the CLI tool.
Audit Metadata