smart-workflows
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): Automated scanners identified a blacklisted URL (l.co) associated with the skill, which is a known risk for malicious redirections.
- REMOTE_CODE_EXECUTION (MEDIUM): The skill documentation and setup guides promote the installation of tools from untrusted sources, such as the oraios/serena repository and the @upstash/context7-mcp package, which are not verified trusted organizations.
- COMMAND_EXECUTION (MEDIUM): The Publisher Agent uses subprocess.run with dynamically provided paths (module_path, output_path) in its create_api_docs method, creating a command injection risk as no sanitization logic is evident.
- PROMPT_INJECTION (LOW): The skill possesses a significant indirect prompt injection surface (Category 8). Untrusted data is ingested via DataCollector.fetch and flows through a pipeline to agents with file-writing and command-execution capabilities. Mandatory evidence: 1. Ingestion points at agents/data-collector.md; 2. Boundary markers are absent; 3. Capability inventory includes subprocess.run and file-write; 4. Sanitization is absent.
- COMMAND_EXECUTION (MEDIUM): The MCP-B Protocol implements a custom 4-layer encoding (Hex, Binary, custom tokens) for agent messaging, which functions as a form of non-standard encoding that can obfuscate malicious internal commands.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata