endor-setup
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the
endorctlbinary from the official vendor domainapi.endorlabs.com. This is a standard and necessary step for the skill's primary function of setting up the Endor Labs CLI tool. - [REMOTE_CODE_EXECUTION]: After downloading the tool, the skill grants execution permissions and runs the binary. It includes a security best practice by verifying the binary's integrity against a SHA-256 checksum fetched from the same trusted vendor API.
- [COMMAND_EXECUTION]: The skill executes shell commands to perform environment setup tasks, such as creating a local binary directory (
~/bin), moving files, and updating the shell'sPATHvariable. These operations are routine for CLI tool installations. - [PROMPT_INJECTION]: The skill features an automated workflow that fetches command-line flags from the vendor's documentation site (
docs.endorlabs.com) and interpolates them into execution commands. This constitutes an indirect prompt injection surface where the agent's actions could be influenced by external web content. - Ingestion points: The skill uses
WebFetchto read content fromhttps://docs.endorlabs.com/endorctl/commands/scan/inside theSKILL.mdworkflow. - Boundary markers: No explicit delimiters or instructions are used to separate the fetched content from the rest of the command string.
- Capability inventory: The skill has the capability to execute shell commands via subprocesses with the fetched parameters.
- Sanitization: No explicit validation or filtering of the flags extracted from the documentation is performed before they are used in commands.
Audit Metadata