Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/zai-cli/Gen Agent Trust Hub

zai-cli

Warn

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill requests broad Bash(cmd:*) permissions to execute its primary functions via the zai-cli tool, allowing for arbitrary command execution beyond the intended scope.
  • [EXTERNAL_DOWNLOADS]: The skill relies on npx to fetch the zai-cli package from the public NPM registry at runtime, which is an external dependency not managed within the skill itself.
  • [REMOTE_CODE_EXECUTION]: Execution of npx zai-cli involves downloading and running code from the NPM registry, representing a remote code execution vector.
  • [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8) because it is designed to ingest and process untrusted data from the web and external code repositories. Ingestion points: The search, read, and repo subcommands fetch content from the live web and GitHub. Boundary markers: No specific delimiters or instructions are provided to the agent to disregard instructions embedded within the fetched content. Capability inventory: The agent has access to full bash execution, file system modification (Write/Edit), and network requests (WebFetch). Sanitization: There is no evidence of input sanitization or content filtering before the data is processed by the AI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 11, 2026, 11:49 PM