solo-init
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill attempts to execute the
solographpackage using the commanduvx solograph --help. Theuvxtool downloads and executes code from the Python Package Index (PyPI) at runtime. Assolographis not associated with a trusted organization or the skill author ('fortunto2'), this represents the execution of untrusted remote code. - [EXTERNAL_DOWNLOADS]: The skill triggers the download of the
solographpackage from an external registry (PyPI) during the tool verification step. - [COMMAND_EXECUTION]: The skill uses the
Bashtool for system-level operations, including directory creation (mkdir -p ~/.solo-factory) and the execution of theuvxcheck. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by incorporating unsanitized user responses and external template content into markdown and YAML configuration files. These files (e.g.,
manifest.md,dev-principles.md) are designed to be consumed by other skills, creating an attack surface where malicious user input could influence subsequent agent behavior. - Ingestion points: User answers gathered via
AskUserQuestionand local template files from thetemplates/directory. - Boundary markers: No delimiters or warnings are present in the generation logic to isolate user-provided content within the generated configuration files.
- Capability inventory: The skill utilizes
Bash,Write, andEditto configure and persist the project environment. - Sanitization: The skill does not implement input validation or escaping for user-provided strings before writing them to persistent files.
Audit Metadata