agent-bridge-cli

================================================================================

🟡 VERDICT: MEDIUM

This skill is a Markdown document providing reference and usage instructions for an agent-bridge CLI tool. The skill itself is documentation and does not contain active malicious code or prompt injection attempts targeting the analyzing LLM. However, it instructs the user to execute commands that involve external dependencies and network requests from sources that are not on the list of trusted external sources.

Total Findings: 2

🟡 MEDIUM Findings: • Unverifiable Dependency

• Line 12: npm install -g @annals/agent-bridge The skill instructs the user to install a global npm package from the @annals scope. This scope is not recognized as a trusted external source. The content of this package cannot be verified by this analysis, posing a supply chain risk. • External Download / Unverifiable Dependency
• Line 100: npx @annals/agent-bridge connect --setup https://agents.hot/api/connect/ct_xxxxx The skill instructs the user to execute a command using npx which involves downloading and running a package from the @annals scope and connecting to https://agents.hot. Neither @annals nor agents.hot are recognized as trusted external sources. The content fetched from these sources cannot be verified, posing a risk of executing unvetted code.

================================================================================