Skills
skills/daydreamsai/skills-market/taskmarket/Gen Agent Trust Hub

taskmarket

Fail

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The 'Session Bootstrap' section requires the agent to fetch a remote file from https://market.daydreams.systems/skill.md and immediately 're-read' it to update its behavior, effectively enabling remote updates to the agent's logic without user intervention.
  • [COMMAND_EXECUTION]: The skill instructs the agent to parse a pendingActions array from a remote API response and execute the provided command strings 'verbatim.' This allows the API provider to execute arbitrary Bash commands on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill performs a global installation of the @lucid-agents/taskmarket package. This package originates from an organization not listed in the trusted vendors list, and global installations often require or attempt to gain elevated privileges.
  • [CREDENTIALS_UNSAFE]: The command taskmarket wallet import encourages the input of private keys. Processing raw cryptographic secrets within an AI agent's context increases the risk of those secrets being logged or accidentally exfiltrated through standard output or error reporting.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 5, 2026, 06:39 AM