basedagents
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill configuration and documentation specify the download and installation of external software from the npm registry, specifically the
@basedagents/mcpandbasedagentspackages. - [REMOTE_CODE_EXECUTION]: The MCP server is configured to run via
npx -y @basedagents/mcp@latest. This pattern involves fetching and executing the latest version of code from a remote registry at runtime, which can introduce unverified or modified code into the execution environment. - [COMMAND_EXECUTION]: The skill instructions prompt the user to perform global package installations (
npm i -g basedagents) and execute registration commands (basedagents register) in the local shell. - [DATA_EXPOSURE]: The documentation references a specific sensitive file path (
~/.basedagents/keys/your-keypair.json) for storing agent cryptographic keys. While this is used for legitimate messaging features, it identifies a high-value target for potential credential exposure. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
api.basedagents.aiandbasedagents.aito fetch agent data, reputation scores, and security scan results.
Audit Metadata