nixomatic
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill fetches and evaluates Nix flakes from
https://nixomatic.com. Nix flakes are executable expressions that define environment configurations. The use of the--accept-flake-configflag in the command template allows the remote source to potentially override local Nix security settings or configuration. - [EXTERNAL_DOWNLOADS]: The skill automatically downloads environment definitions and Nix expressions from an external domain (
nixomatic.com) that is not on the trusted vendor list. These downloads are triggered based on the presence of project files or existing documentation. - [COMMAND_EXECUTION]: The skill executes arbitrary shell commands inside the dynamically created environment using
nix develop --commandordocker run. It mounts the current project directory ($PWD) into the Docker container, providing the remote-configured environment access to the local filesystem. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through project files.
- Ingestion points: The skill reads the project's
README.mdto find and reuse existingnixomatic.comURLs, which serve as the baseline for environment configuration. - Boundary markers: No boundary markers or sanitization logic are used when parsing the URL from the
README.md. - Capability inventory: The agent can execute complex commands and modify the
README.mdfile based on the content of the parsed URL. - Sanitization: While the skill avoids reading file contents of potentially sensitive files, it merges package lists with the URL retrieved from the untrusted
README.mdfile without validation.
Audit Metadata