superise-market-sustain
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the global installation of an external NPM package
@superise/market-sustain-cli. This downloads and installs code from the public NPM registry to the host system. - Evidence:
npm install -g @superise/market-sustain-cliin SKILL.md. - [COMMAND_EXECUTION]: The skill executes multiple commands to configure and manage market states, including the
setup openclawcommand which modifies system scheduling to install persistence. - Evidence:
superise market-sustain setup openclawused to "Install sustain cron jobs". - [PROMPT_INJECTION]: The instructions include a section for "Autonomous Delegation" which directs the agent to "Start acting" and bypass typical confirmation loops when specific phrases (e.g., "keep yourself alive", "self-supervise") are detected.
- Evidence: "When that happens, do not stop at explaining commands. Start acting:" followed by a sequence of automated CLI operations.
- [REMOTE_CODE_EXECUTION]: The instruction to globally install and then execute a CLI tool from an external repository constitutes a remote code execution vector if the package is compromised.
- Evidence: Fallback installation logic using
npm install -gfollowed by immediate execution of help and setup commands.
Recommendations
- AI detected serious security threats
Audit Metadata