rclone
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (CRITICAL): The skill instructs the agent and user to execute
curl https://rclone.org/install.sh | sudo bash. This is a classic 'curl-pipe-bash' vulnerability that executes unverified remote code with root privileges. Even though the domain is rclone.org, it is not within the defined [TRUST-SCOPE-RULE], making this a critical security finding. - Privilege Escalation (HIGH): Multiple instructions (in
SKILL.mdandscripts/check_setup.sh) advocate for the use ofsudo bash,sudo apt install, andsudo dnf install. In an automated agent context, this allows for the acquisition of system-level permissions. - Data Exfiltration (HIGH): The core purpose of the skill is to move files to remote cloud storage. In the hands of an AI agent, this provides a powerful mechanism for data exfiltration if the agent is tricked into uploading sensitive local files (like
~/.ssh/or.envfiles) to an attacker-controlled remote bucket. - Indirect Prompt Injection (HIGH): This skill exhibits a high-risk attack surface for indirect prompt injection.
- Ingestion points: Processes user requests for file paths and remote destinations, and interacts with file system metadata.
- Boundary markers: None. There are no delimiters or instructions to ignore embedded content in file names or contents.
- Capability inventory: Full file system read access and network write access via the
rclonebinary. - Sanitization: None. The skill executes shell commands directly using interpolated variables, which could lead to command injection if file names or remote names are maliciously crafted.
- Command Execution (HIGH): The skill relies heavily on executing shell commands with potentially untrusted input, including
rclone copy,rclone sync, andrclone config create.
Recommendations
- AI detected serious security threats
Audit Metadata