consult
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Uses
npx -yto execute packages like@anthropic-ai/claude-code-acpand@zed-industries/codex-acpat runtime. This dynamically downloads and runs code from external registries without version pinning. - [COMMAND_EXECUTION]: Orchestrates multiple external CLI tools (claude, gemini, codex, opencode) and a local script
acp/run.jsvia shell commands. While user inputs are handled via temporary files to mitigate direct injection, the reliance on external binaries increases the attack surface. - [PROMPT_INJECTION]: Susceptible to indirect prompt injection from consulted tool responses. The skill lacks boundary markers or instructions to the calling agent to isolate or ignore potentially malicious instructions returned by external tools.
- Ingestion points: Tool stdout (claude, gemini, etc.)
- Boundary markers: Absent in output format
- Capability inventory: Subprocess execution of multiple binaries and scripts
- Sanitization: Secret redaction present; instruction sanitization absent.
- [EXTERNAL_DOWNLOADS]: Encourages the installation of several third-party tools (e.g.,
opencode-ai,claude-code) via package managers, introducing unverified external dependencies into the user environment.
Audit Metadata