Skills
skills/alva-ai/skills/open-alva/Gen Agent Trust Hub

open-alva

Warn

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The Alva platform enables remote execution of JavaScript code in a cloud-side V8 isolate via the /api/v1/run API endpoint and scheduled cronjob deployments, as described in SKILL.md and references/api-reference.md.
  • [COMMAND_EXECUTION]: Documentation in references/adk.md includes a 'Calculator Agent' example that uses the eval() function to process input. This pattern is dangerous as it allows for arbitrary code execution if the input provided by the agent is not strictly validated.
  • [DATA_EXFILTRATION]: The runtime environment provides a net/http module for arbitrary network requests and an alfs module for filesystem access. This combination allows for reading local files and exfiltrating their content to external, non-whitelisted domains.
  • [EXTERNAL_DOWNLOADS]: The net/http module allows for fetching and executing external content or scripts at runtime, as demonstrated in the tool-calling examples in references/adk.md.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 12, 2026, 07:02 AM