nixomatic
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using
nix developordocker runto provide project-specific tools and runtimes. This is a core function but grants the skill significant control over the local execution environment.\n- [REMOTE_CODE_EXECUTION]: The skill fetches and executes remote Nix flakes fromhttps://nixomatic.com. Since these flakes can contain arbitrary instructions for the Nix environment, this constitutes remote code execution via a vendor-managed service.\n- [EXTERNAL_DOWNLOADS]: The skill downloads environment configurations and Nix flakes from the external domainnixomatic.comduring the execution of both Nix and Docker command templates.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its logic for managing development environments.\n - Ingestion points: The agent reads project manifest files (e.g.,
package.json,Cargo.toml) and the projectREADME.mdto identify required packages or existing environment URLs.\n - Boundary markers: There are no specific delimiters or instructions to ignore embedded commands within the files being analyzed.\n
- Capability inventory: The skill possesses high-privilege capabilities including arbitrary shell command execution via
nixanddocker, as well as the ability to modify the project'sREADME.md.\n - Sanitization: The skill lacks mechanisms to sanitize or validate the integrity of
nixomatic.comURLs found in a project's documentation before reusing them, which could allow an attacker to trick the agent into running a malicious flake.
Audit Metadata