external-ai
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to translate user natural language requests directly into shell commands for the 'codex' and 'gemini' CLI tools and execute them.
- [REMOTE_CODE_EXECUTION]: The 'Self-Healing' instructions include an automatic update mechanism ('On Upgrade Available: Run the upgrade command'). This allows the skill to execute unvetted code during an 'upgrade' process triggered by external tool output.
- [COMMAND_EXECUTION]: Translation examples utilize shell interpolation (e.g.,
$(cat file.ts)) to inject local file content into command strings. This pattern is highly susceptible to command injection if a file contains shell metacharacters. - [DATA_EXFILTRATION]: The skill explicitly gathers context by reading local files and scanning system environment variables (specifically targeting GOOGLE, GCP, and CLOUDSDK keys) and transmits this data to external AI CLI services.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It lacks sanitization, validation, or boundary markers when interpolating untrusted file content into prompts that are then used to generate executable CLI commands.
Recommendations
- AI detected serious security threats
Audit Metadata