updater
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool restricted to 'updater:*' commands. This grants the agent the ability to manage system software, including installation, deletion (moving to Trash), and configuration changes. These are intended functions for the software manager.
- [EXTERNAL_DOWNLOADS]: The skill suggests installing the core CLI tool from a third-party Homebrew tap ('lu-zhengda/tap/updater'). While this is an external source, it is the primary vendor resource for this skill.
- [REMOTE_CODE_EXECUTION]: The 'updater upgrade' and 'updater install' commands fetch and execute external packages or updates. This behavior is the tool's primary purpose and is restricted to the specific vendor utility.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted application metadata.
- Ingestion points: Metadata enters via 'updater check', 'updater scan', and 'updater history' commands (e.g., app names, release notes).
- Boundary markers: No delimiters or safety instructions are used to wrap external content.
- Capability inventory: The agent can execute any 'updater' command, including those that modify system files.
- Sanitization: No sanitization of retrieved metadata is performed.
Audit Metadata