Skills
AGENT LAB: SKILLS
skills/boshu2/agentops/quickstart/Gen Agent Trust Hub

quickstart

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (HIGH): Documentation in references/getting-started.md and references/troubleshooting.md instructs users to install tools (ao, beads, gastown) from the untrusted GitHub account boshu2 using Homebrew and npx.
  • [REMOTE_CODE_EXECUTION] (HIGH): The command ao init --hooks (mentioned in references/troubleshooting.md) installs 'flywheel hooks' that run shell scripts automatically at the start and stop of every agent session. This establishing a persistent code execution vector on the host system.
  • [DATA_EXFILTRATION] (MEDIUM): Troubleshooting instructions suggest reading sensitive files like ~/.claude/settings.json, which may contain user preferences or sensitive configuration data.
  • [COMMAND_EXECUTION] (MEDIUM): The scripts/validate.sh utility uses bash -c to execute dynamic string arguments, a pattern that can lead to arbitrary code execution if inputs are controlled by an attacker.
  • [PROMPT_INJECTION] (LOW): The skill provides an attack surface for indirect prompt injection. 1. Ingestion points: /research and /vibe read external codebase files and git history. 2. Boundary markers: No boundary markers or instructions to ignore embedded commands are implemented. 3. Capability inventory: The skill suite executes subprocesses via the ao CLI and modifies local files in the .agents/ directory. 4. Sanitization: No sanitization of codebase content is mentioned before processing.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 11:19 AM