critique
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The scripts 'scripts/open-critique-pane.sh' and 'scripts/open-critique.sh' use AppleScript to automate iTerm2. The directory path passed as an argument is directly interpolated into a command string ('write text "cd $DIR && bunx critique"') without any sanitization or escaping. This allows for arbitrary command execution in the user's terminal if the directory name contains shell metacharacters such as backticks, semicolons, or dollar-sign parentheses.
- [EXTERNAL_DOWNLOADS]: The skill instructions and helper scripts execute 'bunx critique', which fetches and runs the latest version of the 'critique' package from the public NPM registry.
- [REMOTE_CODE_EXECUTION]: The use of 'bunx' to execute an unpinned remote package ('critique') from the internet constitutes a remote code execution vector.
- [PROMPT_INJECTION]: The 'critique review' feature uses AI to analyze git diffs, creating a surface for indirect prompt injection. 1. Ingestion points: Untrusted content within git diffs processed by the 'critique review' command. 2. Boundary markers: None identified in the provided wrapper scripts. 3. Capability inventory: Terminal automation via AppleScript and package execution via bunx. 4. Sanitization: No sanitization of the git diff data is performed before it is processed by the AI feature.
Recommendations
- AI detected serious security threats
Audit Metadata