aif
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches and installs third-party skills from the external registry 'skills.sh' and configures Model Context Protocol (MCP) servers from the npm registry.
- [REMOTE_CODE_EXECUTION]: Executes remote code via 'npx skills install' and deploys executable MCP servers (e.g., @modelcontextprotocol/server-github). The skill includes a dedicated Level 1 security scanner script to mitigate risks from these downloads before use.
- [COMMAND_EXECUTION]: Utilizes the Bash tool to execute system-level commands including 'npx', 'mkdir', 'rm -rf' (for cleanup of malicious skills), and 'python' for running its security scanning utilities.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection. 1. Ingestion points: Analyzes project-specific files like package.json, go.mod, and custom rule files in .ai-factory/skill-context/aif/SKILL.md. 2. Boundary markers: The skill instructions emphasize manual review but lack explicit structural delimiters to isolate analyzed data from instructions. 3. Capability inventory: Access to Bash execution, filesystem Write operations, and the ability to trigger other Skills. 4. Sanitization: No automated sanitization or escaping is performed on data retrieved from project files or external configurations.
Audit Metadata