direnv
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The installation guide in
references/installation.mdpromotes the use ofcurl -sfL https://direnv.net/install.sh | bash. This pattern is highly susceptible to Man-in-the-Middle attacks or server-side compromises, leading to arbitrary code execution. - [EXTERNAL_DOWNLOADS] (HIGH): The
source_urlfunction, documented inreferences/stdlib-functions.md, allows the agent to download and source shell scripts from arbitrary external URLs. This provides a direct mechanism for remote code execution at runtime. - [COMMAND_EXECUTION] (HIGH): The skill requires users to add hooks to shell profiles (e.g.,
eval "$(direnv hook zsh)"). This creates a persistent mechanism where code is executed every time the shell prompt is rendered or the directory changes. - [COMMAND_EXECUTION] (HIGH): The core functionality involves executing the contents of
.envrcfiles. As detailed in the Category 8 (Indirect Prompt Injection) threat model, this combines the ingestion of untrusted data with full shell execution capabilities. - Ingestion points:
.envrcand.envfiles in the local filesystem. - Boundary markers: Relies on the
direnv allowmanual authorization step to mitigate accidental execution. - Capability inventory: Full subprocess and shell execution via the host's shell.
- Sanitization: None; scripts are executed directly as shell code.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://direnv.net/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata