day5-fetch-and-digest
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill automatically initiates an installation using 'npx skills add ai-native-camp/camp-1', which fetches and installs agent logic from a third-party source not included in the trusted vendors list.
- [COMMAND_EXECUTION]: The skill requires the use of several CLI tools including 'yt-dlp', 'sed', 'grep', and 'tr' to handle media metadata and perform text processing via subprocesses.
- [REMOTE_CODE_EXECUTION]: The tutorial guides the agent to dynamically generate and write 'SKILL.md' files—which contain executable agent logic—to the local '.claude/skills/' directory based on user-provided templates.
- [DATA_EXFILTRATION]: The generated skills perform network requests to non-whitelisted domains such as 'api.fxtwitter.com' to fetch external content.
Audit Metadata