mac-code-local-ai-agent
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The installation process involves cloning code from an external GitHub repository (
github.com/walter-grace/mac-code) that is not identified as a trusted source. - [COMMAND_EXECUTION]: The agent architecture is designed to execute arbitrary shell commands via
subprocess.run()based on LLM output. This capability represents a significant security risk if the agent's instructions are subverted. - [DATA_EXFILTRATION]: The skill facilitates data synchronization with Cloudflare R2, requiring the user to provide sensitive access keys (
R2_ACCESS_KEY_ID,R2_SECRET_ACCESS_KEY). Users must ensure these credentials are not exposed through environment logging or shared sessions. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection (Category 8) due to the combination of data ingestion and powerful execution capabilities.
- Ingestion points: The agent ingests untrusted data from DuckDuckGo search results and local file content through the
searchandfiletools. - Boundary markers: There are no explicit delimiters or specific prompt engineering instructions provided in the skill documentation to prevent the LLM from following commands embedded within the retrieved data.
- Capability inventory: The system has the ability to execute shell commands, modify the file system, and perform network requests.
- Sanitization: The provided instructions do not describe any mechanisms for validating, sanitizing, or requiring human approval for the shell commands generated by the model before execution.
Audit Metadata