managing-adrs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS / REMOTE_CODE_EXECUTION] (HIGH): The documentation (TROUBLESHOOTING.md) instructs users to execute a remote script directly via shell piping:
curl -LsSf https://astral.sh/uv/install.sh | sh. While astral.sh is a known service provider, this pattern is a major security risk as it bypasses local validation and executes arbitrary remote code. - [COMMAND_EXECUTION] (HIGH): The documentation (TROUBLESHOOTING.md) suggests using
sudo chownto resolve permission issues. Encouraging users to apply elevated privileges to project directories is a risk factor for privilege escalation and system misconfiguration. - [DATA_EXFILTRATION] (LOW): The scripts perform local file system operations (read/write/mkdir) on project directories. While no network exfiltration was detected, the scripts have broad access to read any markdown file within specified directories.
- [INDIRECT_PROMPT_INJECTION] (LOW): The
adr_index.pyscript ingests content from external markdown files and extracts metadata (titles, statuses) via regex to build a README index. If an attacker controls an ADR file, they could inject malicious markdown or deceptive text into the project index. - Ingestion points:
scripts/adr_index.py(viafilepath.read_text()) - Boundary markers: None (uses standard regex extraction)
- Capability inventory: File system write access (
README.md), directory creation (mkdir) - Sanitization: Basic regex extraction only; no escaping of extracted titles or statuses.
Recommendations
- AI detected serious security threats
Audit Metadata