Skills
skills/briansunter/z-cli/z-ai-tools/Gen Agent Trust Hub

z-ai-tools

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on the @briansunter/z-cli package, which is downloaded and executed at runtime via npx or bunx. The author and repository are not on the trusted sources list, posing a risk of executing unverified code.
  • COMMAND_EXECUTION (MEDIUM): The use of npx -y and bunx to run the Z-CLI tool involves executing external binary code on the host system. Without version pinning or source verification, this is a vector for supply chain attacks.
  • DATA_EXFILTRATION (LOW): The layout_parsing and vision tools allow the agent to read local file paths. If combined with a malicious prompt (e.g., via indirect injection), these tools could be used to read sensitive files and transmit their contents to the Z.AI API.
  • PROMPT_INJECTION (LOW): The skill is highly susceptible to indirect prompt injection. Ingestion points: Data enters the system through web_reader (URLs), web_search (web content), and GitHub tools (search_doc, read_file). Boundary markers: No delimiters or safety instructions are defined to separate untrusted data from the system prompt. Capability inventory: The skill can read local files, access the network, and read/search GitHub repositories. Sanitization: No evidence of sanitization or escaping of external content is provided.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:43 PM