eightctl
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of a binary from a third-party GitHub repository (github.com/steipete/eightctl) using the Go toolchain. While common for this type of utility, the source is not a pre-approved trusted organization.
- [COMMAND_EXECUTION]: The skill invokes the eightctl command-line utility to perform device management tasks. This execution is central to the skill's primary function.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes data retrieved from external sources (the Eight Sleep API) and returns it to the agent.
- Ingestion points: Command output from eightctl status, eightctl alarm list, and eightctl schedule list.
- Boundary markers: No delimiters or sanitization logic are defined to distinguish external data from instructions.
- Capability inventory: The skill can execute various eightctl subcommands to modify hardware states.
- Sanitization: No explicit sanitization or validation of the API data is performed before processing.
Audit Metadata