ghost-scan-deps
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill performs piped remote execution by downloading a shell script from an untrusted external repository and immediately executing it.
- Evidence: agents/init/agent.md contains the command
curl -sfL https://raw.githubusercontent.com/ghostsecurity/wraith/main/scripts/install.sh | bash. - Source: The GitHub organization
ghostsecurityis not in the trusted organizations list. - [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads and executes a pre-compiled binary (wraith) from an unverified external source.
- Evidence: agents/init/agent.md installs a binary to
~/.ghost/bin/wraithwhich is later executed by the scan agent. - [COMMAND_EXECUTION] (MEDIUM): The skill executes a downloaded binary with shell privileges to perform scanning operations.
- Evidence: agents/scan/agent.md executes
~/.ghost/bin/wraith scan ...using the Bash tool. - [PROMPT_INJECTION] (LOW): The skill processes untrusted project files (lockfiles and source code) and feeds them into AI agents for analysis, creating an indirect prompt injection surface.
- Ingestion points: Repository files (lockfiles and source code) entered via
GlobandReadtools inagents/discover/agent.mdandagents/scan/agent.md. - Boundary markers: Absent. No specific delimiters or instructions to ignore embedded commands are used when interpolating file content into agent prompts.
- Capability inventory: The skill uses
Bash(can execute any command),Task(can spawn subagents), and filesystem tools. - Sanitization: Absent. No evidence of content filtering or validation of ingested file data before it is analyzed by the subagents.
Recommendations
- AI detected serious security threats
Audit Metadata