nemo
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core workflow involves fetching full 'skill instructions' from an external database (
/api/skill/SKILL_NAME) and directing the agent to 'follow them'. This creates a massive attack surface where any malicious entry indexed by the service can inject instructions directly into the agent's execution context. - Ingestion points: Data enters via
/api/searchand/api/skill/SKILL_NAMEresponses. - Boundary markers: Absent. The skill provides no delimiters or warnings to treat the fetched content as untrusted.
- Capability inventory: The instructions returned can include 'install commands' and metadata which the agent is expected to act upon.
- Sanitization: Absent. There is no evidence of filtering or validation of the fetched instructions.
- [Remote Code Execution] (HIGH): The documentation explicitly mentions that fetching skill instructions returns 'the complete instructions, install command, and metadata.' An attacker-controlled skill in the index could provide a malicious install command (e.g.,
curl ... | bash) that the agent might execute. - [External Downloads] (MEDIUM): The skill relies on a third-party, non-trusted domain (
nemo.25chenghua.workers.dev) to serve executable instructions and tool definitions. This domain does not fall under the [TRUST-SCOPE-RULE] and represents a single point of failure and potential supply chain risk. - [Command Execution] (MEDIUM): The
/api/callendpoint acts as a proxy to 'any indexed MCP server'. This allows the agent to send requests and potentially sensitive arguments to arbitrary remote endpoints defined in the search results, which could be used for data exfiltration or probing internal network resources.
Recommendations
- AI detected serious security threats
Audit Metadata