blucli
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill installation logic fetches and compiles a Go module from 'github.com/steipete/blucli'. This source is not included in the predefined list of trusted organizations.
- COMMAND_EXECUTION (LOW): The skill is designed to invoke the 'blu' binary to perform discovery and playback tasks on the local network.
- PROMPT_INJECTION (LOW): The skill possesses an Indirect Prompt Injection surface. Evidence: 1. Ingestion points: The skill processes external data via 'blu tunein search' results. 2. Boundary markers: No delimiters or ignore-instruction warnings are present in the documentation. 3. Capability inventory: The skill can execute local binary commands. 4. Sanitization: There is no evidence of sanitization or validation for the data retrieved from external searches.
Audit Metadata