Skills
skills/l-yifan/skills/search/Gen Agent Trust Hub

search

Warn

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The shell script scripts/search.sh accesses sensitive authentication tokens stored in the user's home directory. * Evidence: The script scans ~/.mcp-auth/ for *_tokens.json files to extract the access_token field. * Context: The extracted token is subsequently transmitted to https://mcp.tavily.com/mcp to authenticate API requests.
  • [REMOTE_CODE_EXECUTION]: The script scripts/search.sh dynamically downloads and executes code from a remote source. * Evidence: It uses npx -y mcp-remote https://mcp.tavily.com/mcp to initiate an OAuth flow if no local credentials are found.
  • [EXTERNAL_DOWNLOADS]: The shell script uses npx to download the mcp-remote package at runtime from the npm registry.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from the web. * Ingestion points: Web search results retrieved via the Tavily API in scripts/search.py and scripts/search.sh. * Boundary markers: No delimiters or specific instructions are provided to the agent to treat the retrieved content as untrusted. * Capability inventory: The skill can read local auth tokens and perform network requests. * Sanitization: The skill does not perform any sanitization or validation of the content returned by the search engine before passing it to the agent context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 14, 2026, 08:29 AM