subway-info
Fail
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The README.md file recommends an installation method using
curl -s https://skills.sh/subway-info | bash. This pattern is highly dangerous as it executes unverified scripts directly from a remote server into the user's shell environment without prior inspection. - [EXTERNAL_DOWNLOADS]: The skill performs multiple network requests to
https://subwayinfo.nycandhttps://skills.sh. These domains are not recognized as trusted or well-known services, posing a risk of interacting with untrusted infrastructure. - [COMMAND_EXECUTION]: The shell scripts located in the
scripts/directory (e.g.,arrivals.sh,alerts.sh,trip.sh) construct JSON request bodies forcurlusing string concatenation of user-provided arguments. This practice is susceptible to JSON injection and can lead to unintended behavior if input variables contain shell-sensitive characters or malformed JSON snippets. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to how it handles external data.
- Ingestion points: Real-time transit data is fetched from the
subwayinfo.nycAPI and displayed to the agent viaarrivals.sh,alerts.sh, andstatus.sh. - Boundary markers: The output from the API is presented to the agent without any delimiters or instructions to ignore potential commands embedded in the transit alerts or descriptions.
- Capability inventory: The skill has access to shell execution and network requests through its helper scripts.
- Sanitization: There is no evidence of sanitization or validation of the text content returned by the external API before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://skills.sh/subway-info - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata