agentform
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill documentation promotes the use of
npx -yto install and run MCP servers. This pattern fetches and executes packages from the npm registry at runtime, which is an unverified remote code execution vector if the package name is manipulated. - COMMAND_EXECUTION (HIGH): The
serverblock in the.afconfiguration language explicitly supports acommandfield for executing system binaries. This allows the configuration file to run arbitrary code on the host system when processed by the agentform CLI. - PROMPT_INJECTION (HIGH): As the skill is designed to process external
.afand.yamlfiles to define agent instructions and routing logic, it is highly susceptible to indirect prompt injection. A malicious configuration can redefine agent goals or exploit 'write' capabilities (like GitHub PR reviews) without adequate sanitization or boundary markers. - EXTERNAL_DOWNLOADS (LOW): The skill points to trusted documentation from Anthropic and OpenAI for model IDs. Per the [TRUST-SCOPE-RULE], these specific references are considered low risk, although the underlying execution model remains dangerous.
Recommendations
- AI detected serious security threats
Audit Metadata