motion
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- Data Exposure & Exfiltration (LOW): The script
scripts/get-example.shperforms network requests usingcurltomotion.devto verify example availability. This domain is not included in the predefined whitelist. However, no sensitive local data is accessed or transmitted to this domain. - Indirect Prompt Injection (LOW): The skill creates a surface for untrusted data ingestion by fetching content from the external site
motion.dev. Evidence Chain: 1. Ingestion points:scripts/get-example.sh(fetches documentation pages). 2. Boundary markers: None present in the script or its output. 3. Capability inventory: The skill has the ability to execute shell commands (curl,jq,grep) and perform network operations. 4. Sanitization: No sanitization is performed on the fetched content, though the script currently only uses the response for a null check.
Audit Metadata