agentation
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Automated scans detected a dangerous execution pattern where data from a local network endpoint (http://localhost:4747/pending) is piped directly to the python3 interpreter. This bypasses typical script execution safety and can be exploited to execute arbitrary code if the local port is compromised.
- [COMMAND_EXECUTION]: The skill installs persistent hooks (UserPromptSubmit and AfterAgent) into global agent configuration files (~/.claude/claude_desktop_config.json, ~/.gemini/settings.json, etc.). These hooks execute shell commands automatically on every user interaction or agent turn, creating a significant persistent command execution surface.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting UI annotations (comments and CSS selectors) from an external source and instructing the agent to fix code based on those comments.
- Ingestion points: Annotations are fetched from http://localhost:4747/pending (documented in SKILL.md Section 4).
- Boundary markers: Absent; instructions do not include delimiters or warnings to ignore embedded commands.
- Capability inventory: The agent has access to Bash, Write, Grep, and Glob tools (documented in SKILL.md frontmatter).
- Sanitization: Absent; the agent is directly instructed to make changes described in the user comments.
- [EXTERNAL_DOWNLOADS]: Setup and installation instructions rely on npx to fetch and execute external packages (agentation-mcp, add-mcp) at runtime. These packages are not pinned to specific versions or verified via integrity hashes in the provided setup scripts.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:4747/pending - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata