acpx
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary shell commands on the host system. It explicitly treats unknown agent tokens as raw commands and provides an
--agentflag for direct command injection.\n- [COMMAND_EXECUTION]: The skill instructions promote the use of the--approve-allflag, which allows orchestrated agents to perform file modifications and command executions without human verification.\n- [EXTERNAL_DOWNLOADS]: Fetches theacpxtool and ACP adapters such as@zed-industries/codex-acpand@zed-industries/claude-agent-acpfrom the NPM registry.\n- [EXTERNAL_DOWNLOADS]: Dynamically executes third-party packagesopencode-aiandpi-acpvianpxfrom the NPM registry at runtime.\n- [PROMPT_INJECTION]: The template intemplates/session-prompts.mdis vulnerable to indirect prompt injection when processing untrusted task data.\n - Ingestion points: Untrusted task descriptions are interpolated into the
{TASK_PROMPT}variable intemplates/session-prompts.md.\n - Boundary markers: The template lacks robust isolation markers or instructions to ignore embedded commands within the input.\n
- Capability inventory: The
acpxtool provides extensive capabilities, including subprocess execution and file system access as described inSKILL.md.\n - Sanitization: No sanitization or validation is applied to external input data before it is processed by the agent.
Audit Metadata