bux-claude-agent
Fail
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation instructions use the
curl | bashpattern to fetch and execute a shell script (install.sh) directly from a third-party GitHub repository (browser-use/bux). This occurs with root privileges viasudo, creating a high-risk execution vector. - [COMMAND_EXECUTION]: The Telegram bot bridge implementation uses
subprocess.runto call theclaudeCLI with raw input from Telegram. This allows the agent to perform actions and execute commands on the host VPS based on remote instructions received over the internet. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
- Ingestion points: Raw text from Telegram messages in
telegram_bot.py. - Boundary markers: None; input is passed directly to the agent's prompt.
- Capability inventory: Full terminal access via the
claudeCLI andsubprocessmodules. - Sanitization: No escaping or validation is performed on the incoming Telegram message before it is processed by the AI agent.
- [CREDENTIALS_UNSAFE]: The documentation instructs users to pass sensitive API keys (including
ANTHROPIC_API_KEY,BROWSER_USE_API_KEY, andTG_BOT_TOKEN) as environment variables directly in the shell. This can cause secrets to be logged in plain text in the user's.bash_historyfile. - [COMMAND_EXECUTION]: The skill configuration allows the AI agent to manage systemd services and execute commands as a dedicated
buxuser, which provides the agent with persistent control over the server's environment and background processes.
Recommendations
- AI detected serious security threats
Audit Metadata