astkit-tooling
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill documentation in SKILL.md instructs the agent to verify availability via
npx astkitorbunx astkit. These commands download and execute code directly from the npm registry. As 'astkit' is not provided by a trusted organization or repository listed in the security policy, this allows for the execution of unverified remote code.\n- COMMAND_EXECUTION (MEDIUM): The agent is encouraged to use CLI tools for symbol navigation, searching, and patching. Theastkit patchcommand enables the agent to perform programmatically driven filesystem writes. If the agent's logic is subverted, this capability could be used to inject malicious code or corrupt the project.\n- PROMPT_INJECTION (LOW): The skill exhibits vulnerability to Indirect Prompt Injection (Category 8).\n - Ingestion points: The agent ingests repository content through the
astkit searchandastkit navcommands as part of the exploration workflow.\n - Boundary markers: Absent; there are no delimiters or warnings provided to the agent to treat analyzed source code as untrusted input.\n
- Capability inventory: The toolset includes filesystem write access and arbitrary command execution via the
astkitCLI.\n - Sanitization: None; results from structural searches are passed directly to the agent without filtering, which could allow malicious instructions embedded in code comments to influence subsequent agent actions.
Recommendations
- AI detected serious security threats
Audit Metadata