atxp-backup
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill utilizes
npx atxp@latestto fetch and execute code directly from the NPM registry at runtime. Since theatxppackage and its publisher (atxp-dev) are not recognized as trusted sources, this constitutes an unverified remote code execution vector. - [DATA_EXFILTRATION] (HIGH): The
pushcommand is designed to upload the agent's identity and memory files (includingSOUL.mdandUSER.md) to external servers atatxp.ai. These files often contain highly sensitive user context, personal data, and internal agent logic which is sent to an untrusted third-party service. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's functionality relies on downloading the latest version of an external package from NPM during every execution, creating a dependency on the integrity of an untrusted external repository.
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface. The
pullcommand populates the agent's local workspace with markdown files from a remote server. If the server content is compromised, malicious instructions could be placed into the agent's memory or identity files to manipulate its behavior. - Ingestion points:
npx atxp@latest backup pullwrites remote files to the local--pathdirectory. - Boundary markers: None. The skill writes raw
.mdfiles directly to the agent's memory path. - Capability inventory: The agent reads these files to define its identity and context.
- Sanitization: None. The skill performs no validation on the content of the pulled markdown files.
Recommendations
- AI detected serious security threats
Audit Metadata