rodney
Fail
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to download and install the 'rodney' tool from a non-whitelisted GitHub repository (simonw/rodney) or via package managers (uv, pipx).
- [COMMAND_EXECUTION]: Manual installation steps involve high-privilege operations, specifically 'sudo mv rodney /usr/local/bin/', to move an unverified binary into a system-wide executable path.
- [COMMAND_EXECUTION]: The skill's primary functionality relies on executing the 'rodney' binary from the shell, which grants the agent the ability to spawn browser processes and interact with the local filesystem (via 'rodney screenshot' and 'rodney pdf').
- [REMOTE_CODE_EXECUTION]: The 'rodney js ' and 'rodney assert ' commands allow the execution of arbitrary JavaScript code within the context of the browser. This could be leveraged to perform unauthorized actions or extract sensitive data from web sessions.
- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8) as it processes untrusted data from external websites.
- Ingestion points: Browser navigation via 'rodney open ' and content extraction via 'rodney text' or 'rodney html' (SKILL.md, commands.md).
- Boundary markers: Absent; there are no delimiters or instructions provided to the agent to ignore malicious commands embedded in web content.
- Capability inventory: The skill can execute JavaScript ('rodney js'), write files ('rodney screenshot', 'rodney pdf'), and perform network downloads ('rodney download').
- Sanitization: Absent; web content is processed and acted upon without validation or escaping.
Recommendations
- AI detected serious security threats
Audit Metadata