security-auditor
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
install-tools.shusessudoto perform system-level operations, such as updating package manager lists (apt-get update) and installing software. It also uses administrative privileges to modify the system's repository configuration by writing to/etc/apt/sources.list.d/trivy.list. - [EXTERNAL_DOWNLOADS]: The skill fetches an installation script from the public GitHub repository for Trivy at
https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh. - [REMOTE_CODE_EXECUTION]: The skill executes the downloaded Trivy installation script by piping its content directly to the shell (
sh), which allows remote code to be run with the user's current permissions. - [PROMPT_INJECTION]: The skill ingests untrusted source code and configuration files from the repository to generate security findings, creating a surface for indirect prompt injection if malicious instructions are embedded in the analyzed data.
- Ingestion points: Reads all repository files through the various scanning scripts (
scan-code.sh,scan-deps.sh, etc.). - Boundary markers: Absent; the findings are included in Markdown reports (
.opencode/docs/SECURITY-AUDIT.md) without explicit sanitization or delimiters to prevent the agent from processing instructions hidden in the data. - Capability inventory: Authorized to execute bash scripts, write files to the filesystem, and interact with the GitHub API via the
ghCLI. - Sanitization: Findings are processed through
jq, but textual fields from findings are interpolated into the final report without filtering for potential instructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata