Skills
skills/dibbla-agents/skills/dibbla/Gen Agent Trust Hub

dibbla

Fail

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill documentation provides command-line instructions to install the Dibbla CLI using piped shell scripts from https://install.dibbla.com/install.sh (macOS/Linux) and https://install.dibbla.com/install.ps1 (Windows). Additionally, the dibbla run command allows for fetching and executing arbitrary task pipelines from remote URLs, which is explicitly described as being equivalent to a 'curl | bash' operation.
  • [COMMAND_EXECUTION]: The skill enables the agent to execute shell commands through the dibbla run command and within the container build process during dibbla deploy. This allows for local command execution as part of project management and deployment workflows.
  • [EXTERNAL_DOWNLOADS]: The skill regularly fetches external content, including a template manifest from raw.githubusercontent.com/dibbla-agents/* and bootstrap scripts for project templates. These downloads are integral to the skill's scaffolding and update functionality.
  • [CREDENTIALS_UNSAFE]: The dibbla login --write-env command persists API tokens and URLs into a local .env file within the project directory. While the tool attempts to configure .gitignore to prevent these secrets from being committed, the presence of plaintext credentials on the filesystem remains a security consideration.
  • [DATA_EXFILTRATION]: The dibbla deploy command facilitates the upload of project source code and assets to the Dibbla platform. This is the primary mechanism for application hosting on the platform.
  • [PROMPT_INJECTION]:
  • The skill instructs the agent to use --yes or -y flags to bypass user confirmation for sensitive and potentially destructive operations, such as deleting applications, databases, or secrets.
  • The guardrails.md file defines a workflow where the agent reviews and processes untrusted application source code. This creates a surface for Indirect Prompt Injection (Category 8).
  • Ingestion points: Application source files (JavaScript, Python, etc.) reviewed during the pre-deploy guardrails check.
  • Boundary markers: No specific delimiters or boundary instructions are provided for the code review process.
  • Capability inventory: The agent has access to local shell execution via dibbla run and network access for application deployment via dibbla deploy.
  • Sanitization: There is no evidence of sanitization or filtering of the user-provided code before it is processed by the agent's logic.
Recommendations
  • HIGH: Downloads and executes remote code from: https://install.dibbla.com/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
May 7, 2026, 07:53 AM