ditto-product-research
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation provides instructions to execute a setup script from the developer's domain (https://app.askditto.io/scripts/free-tier-auth.sh) using a shell pipe ("curl | bash").\n- [EXTERNAL_DOWNLOADS]: The skill makes network requests to the Ditto API (app.askditto.io) and downloads resources from the vendor's infrastructure for authentication and operation.\n- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection (Category 8) because it retrieves and processes qualitative responses from synthetic AI personas via the Ditto API.\n
- Ingestion points: Data entering the context includes response_text from the /v1/research-studies/{study_id}/questions endpoint.\n
- Boundary markers: There are no explicit delimiters or instructions telling the agent to ignore potentially malicious instructions embedded in the persona responses.\n
- Capability inventory: The skill has the ability to execute Bash commands (curl and python3) which could be targeted by injected content.\n
- Sanitization: No sanitization or validation of the fetched response content is described beyond basic HTML stripping for formatting.\n- [COMMAND_EXECUTION]: The skill uses Bash to perform API interactions via curl and to parse JSON data using python3 one-liners.
Recommendations
- HIGH: Downloads and executes remote code from: https://app.askditto.io/scripts/free-tier-auth.sh - DO NOT USE without thorough review
Audit Metadata