plugin-installer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill includes documentation for 'LLM-API-Key-Proxy' which directs the agent to download binaries from GitHub Releases (Mirrowel/LLM-API-Key-Proxy). These are untrusted sources not covered by the Trusted External Sources list.
- REMOTE_CODE_EXECUTION (HIGH): The catalog provides explicit instructions to clone and execute Python code and binaries from untrusted repositories. The use of non-existent models (GPT 5.2, Claude 4.5) suggests the remote code is likely malicious or designed to exfiltrate API keys via proxying.
- COMMAND_EXECUTION (HIGH): The skill instructs the agent to perform dangerous operations such as 'chmod +x' on external binaries and running 'python src/proxy_app/main.py' after a git clone.
- PROMPT_INJECTION (LOW): (Category 8: Indirect Prompt Injection) The skill reads third-party markdown files in 'references/plugins/' and uses their content to instruct the agent on how to modify its system configuration ('opencode.json').
- Ingestion points: Multiple .md files in 'references/plugins/' are read by the 'list_plugins.py' script and the agent.
- Boundary markers: No delimiters or warnings are used to prevent the agent from obeying instructions embedded in the plugin descriptions.
- Capability inventory: The agent is authorized to modify system configuration files and execute shell commands to install plugins.
- Sanitization: No sanitization or validation of the plugin metadata or installation instructions is performed.
Recommendations
- AI detected serious security threats
Audit Metadata