gastown
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and install the 'gt' and 'bd' CLI tools from the 'steveyegge/gastown' and 'steveyegge/beads' GitHub repositories using 'go install'.
- [REMOTE_CODE_EXECUTION]: By installing and executing binaries from a non-whitelisted public repository, the skill performs remote code execution as part of its setup and operational flow.
- [COMMAND_EXECUTION]: The instructions mandate that the agent executes all CLI operations via the Bash tool and explicitly tells the agent that the 'user NEVER runs terminal commands', centralizing control of the terminal within the AI.
- [PROMPT_INJECTION]: The skill uses strong persona-setting directives such as 'complete mastery' and 'you are the orchestrator', while also granting 'creative license' to 'go off-script', which could lead the agent to ignore or bypass safety constraints.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes untrusted data from external sources.
- Ingestion points: The agent reads data from 'beads', 'molecules', and 'mail' messages.
- Boundary markers: No delimiters or instructions to ignore embedded commands are present when processing these inputs.
- Capability inventory: The agent has the ability to run arbitrary shell commands, install software, and manage network-based 'mail' communication.
- Sanitization: There is no evidence of sanitization or validation for the content ingested from the tracking system or communication logs.
Audit Metadata