arcs-dev-tools
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is designed to clone an external repository and then execute multiple shell scripts contained within it, specifically 'prepare_listenai_tools.sh', 'prepare_toolchain.sh', and 'build.sh'. This represents a high-risk pattern as the agent executes instructions from an unverified remote source.- [COMMAND_EXECUTION]: The skill executes local binaries ('cskburn') and uses shell commands to modify file permissions ('chmod +x') on external tools downloaded from the repository. It also uses 'fuser' to identify and manage system processes.- [EXTERNAL_DOWNLOADS]: The skill initiates a 'git clone' from a placeholder or user-specified URL ('gitlab.example.com/listenai/arcs-sdk.git') to fetch the build environment and SDK.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the 'serial_read.py' utility, which feeds raw logs from external hardware back to the agent for analysis.
- Ingestion points: Serial device files (/dev/ttyACM*, /dev/ttyUSB*) read via 'serial_read.py'.
- Boundary markers: Absent; logs are returned directly to the agent without delimiters or safety context.
- Capability inventory: The agent can execute 'bash', 'git', 'chmod', and 'python3'.
- Sanitization: No sanitization or validation of the serial data is performed, allowing potentially malicious instructions from hardware to influence agent behavior.
Audit Metadata