Skills
skills/ikumasudo/pocketbase-skill/pocketbase/Gen Agent Trust Hub

pocketbase

Fail

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The bootstrap section in SKILL.md instructs the agent to download the PocketBase binary directly from https://github.com/pocketbase/pocketbase/releases/download/. This repository is not on the trusted vendors list, and downloading/executing external binaries is a significant security risk.
  • [REMOTE_CODE_EXECUTION]: The skill uses a curl | python3 pattern to parse version strings from the GitHub API and executes the downloaded PocketBase binary using ./pocketbase serve. Additionally, SKILL.md contains inline Python code executed via python3 -c for JSON processing.
  • [COMMAND_EXECUTION]: The skill employs potentially dangerous shell commands including nohup, pgrep, and kill to manage the PocketBase process lifecycle, and uses unzip to handle external archives.
  • [DATA_EXFILTRATION]: scripts/pb_config.py includes a _load_env_file() function that recursively searches parent directories up to the filesystem root for .env files. This behavior can lead to the unintended exposure of sensitive credentials and configuration secrets located outside the project directory.
  • [PROMPT_INJECTION]: SKILL.md contains several 'IMPORTANT' and 'CRITICAL' blocks that attempt to override the agent's behavior by mandating specific patterns (e.g., 'Read references/gotchas.md FIRST', 'DO NOT USE v0.22 Anti-Patterns'). While primarily intended for compatibility, these use forceful language common in injection attempts.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes record data from an external PocketBase backend (via pb_records.py). If the backend contains untrusted content, it serves as an ingestion point for indirect prompt injection, especially given the skill's capabilities to execute commands and write files.
  • Ingestion points: pb_records.py list, pb_collections.py get (reads from REST API).
  • Boundary markers: None detected in prompt templates.
  • Capability inventory: Bash, Write, Edit (full filesystem and shell access).
  • Sanitization: No explicit sanitization or escaping of record content before it enters the agent context.
Recommendations
  • HIGH: Downloads and executes remote code from: https://api.github.com/repos/pocketbase/pocketbase/releases/latest - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 27, 2026, 01:37 PM