Skills
skills/av/skills/boost-modules/Gen Agent Trust Hub

boost-modules

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill facilitates Indirect Prompt Injection (Category 8).
  • Ingestion points: chat.message and requests.get(url).text in the URL Reader example.
  • Boundary markers: Weak <content> tags provide insufficient isolation.
  • Capability inventory: Access to llm.chat_completion and llm.stream_final_completion.
  • Sanitization: None provided.
  • Role Manipulation: The 'pirate' example shows how to inject system-role messages into the chat history.
  • [DATA_EXFILTRATION] (MEDIUM): Templates include logic for making arbitrary network requests.
  • Evidence: Use of requests.get(url) allows fetching data from non-whitelisted external domains, which can be leveraged for SSRF.
  • [COMMAND_EXECUTION] (MEDIUM): Facilitates the creation and loading of dynamic Python logic.
  • Evidence: The core purpose is writing apply() functions that the Harbor Boost proxy executes. This pattern (Category 10) is risky if modules are generated or modified by an agent.
  • [EXTERNAL_DOWNLOADS] (LOW): References non-trusted GitHub repositories and Docker images.
  • Evidence: ghcr.io/av/harbor-boost:latest and related source links point to an untrusted account ('av').
  • [INFO] (SAFE): The 'logger.info' scanner alert is a false positive.
  • Evidence: The scanner misidentified a Python logging method as a malicious domain.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 11:40 AM