Skills
skills/danielmiessler/paiplugin/fabric/Gen Agent Trust Hub

fabric

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • Unverifiable Dependencies & Remote Code Execution (HIGH): The project promotes a one-line installation method (scripts/installer/install.sh and install.ps1) that downloads a remote script and pipes it directly to a shell (bash or PowerShell). This is a high-risk pattern as it bypasses local security checks and relies entirely on the integrity of the remote source.
  • Command Execution (HIGH): The web server backend (web/src/routes/obsidian/+server.ts) uses execAsync to run shell commands like mkdir -p and cp using the user-provided noteName. While content is escaped, the path variables themselves are interpolated into the shell string without sufficient sanitization, potentially allowing command injection via crafted note names containing shell metacharacters.
  • Command Execution (HIGH): The extension system (internal/plugins/template/extension_executor.go) executes arbitrary shell commands using sh -c. While it uses a template system, the execution of shell-wrapped strings is inherently risky if the input values (which may come from an LLM) are not perfectly sanitized.
  • Dynamic Execution (HIGH): The create_coding_feature capability (internal/core/chatter.go) parses LLM output for a specific marker (__CREATE_CODING_FEATURE_FILE_CHANGES__) and automatically applies 'create' or 'update' file operations to the local filesystem. This grants the AI model direct write access to the project directory, which could be exploited via prompt injection to introduce malicious code or backdoors.
  • Data Exposure & Exfiltration (MEDIUM): The template system includes built-in plugins for reading local files (internal/plugins/template/file.go) and fetching remote URLs (internal/plugins/template/fetch.go). While these have size limits (1MB), they provide the necessary primitives for an attacker to read sensitive local files and exfiltrate them to a remote server if a user runs a malicious pattern.
  • Indirect Prompt Injection (LOW): The project is designed to process highly untrusted data, such as YouTube transcripts, web scrapes, and PDF files. The tool lacks robust boundary markers or pre-processing sanitization to prevent 'jailbreak' or override instructions embedded in these external sources from influencing the agent's behavior (Category 8).
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/danielmiessler/fabric/main/scripts/installer/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:47 PM