miles
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill interacts with the
api.bymiles.aidomain, which is the official infrastructure for the Miles AI service and matches the skill author's identity. This communication is required for the skill's core functionality. - [COMMAND_EXECUTION]: The CLI utility uses
execFileSyncto open the user's browser for device-based authentication (miles login) and site previews (miles preview). This is standard behavior for tools that require external user authorization or visual verification. - [EXTERNAL_DOWNLOADS]: The skill fetches image screenshots and WordPress theme files from the vendor's API servers. These assets are the primary outputs of the website design process and are only downloaded upon explicit command.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface through its conversation relay mechanism:
- Ingestion points: The
hookcommand inscripts/miles-cli.mjsreads content from~/.miles/last-responsewhich is populated by responses from the remote Miles AI API. - Boundary markers: The relayed content is prefixed with the label 'Miles response:' in the agent context.
- Capability inventory: The CLI tool can read arbitrary local files via the
--briefargument, write to the filesystem (credentials, screenshots, logs), open browsers, and perform network requests to the vendor API. - Sanitization: There is no explicit sanitization or filtering of the text returned by the remote service before it is relayed to the agent. While this is necessary for the relay functionality, it is a potential vector if the remote service were to be compromised.
Audit Metadata