pair-agent
Fail
Audited by Snyk on May 3, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly requires printing the full instruction block verbatim (which contains one-time setup keys/session tokens) and asks to accept and embed user-provided ngrok auth tokens into commands, forcing the LLM to handle and output secrets directly.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). This skill deliberately provisions remote agent access to the user's local browser (including an option for admin-level JS/cookie/storage access), writes credentials into other agents' config paths, and exposes the local server via ngrok tunnels—behavior that enables remote control, credential theft, and data exfiltration and therefore functions as an intentional backdoor-like capability.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill's required preamble and setup explicitly fetch and ingest third‑party content (e.g., the bun installer via curl https://bun.sh/install and the GBrain Sync steps that run git fetch/merge and gstack-brain-sync), and the /pair-agent flow also enables a remote agent to browse arbitrary public websites—all public/untrusted sources that the agent will read/interpret and which can materially alter tool use and next actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill's setup step conditionally downloads and executes a remote installer script (curl -fsSL "https://bun.sh/install" -> bash "$tmpfile"), so https://bun.sh/install is fetched and executed at runtime as a required dependency.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill directs the agent to run installers, write credentials/config files, start network tunnels (ngrok) and can grant remote agents admin browser access (JS/cookies/storage), which modifies machine state and exposes sensitive data/network without requiring sudo but still poses high risk.
Issues (5)
W007
HIGHInsecure credential handling detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata