pal-mcp-expert
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The installation guide (references/installation-config.md) recommends executing code directly from an untrusted Git repository using uvx and a setup script (run-server.sh). This enables the remote repository to execute arbitrary commands on the user host during installation or updates.
- PROMPT_INJECTION (HIGH): The skill presents a high-risk surface for indirect prompt injection (Category 8). It ingests untrusted data from local codebases via tools like chat, codereview, precommit, and analyze while maintaining high-privilege capabilities such as file generation and CLI subagent spawning. Evidence: 1. Ingestion points: chat, codereview, and precommit tools in references/tool-catalog.md; 2. Boundary markers: Absent; 3. Capability inventory: clink CLI subagents and chat code generation in references/tool-catalog.md; 4. Sanitization: Absent.
- COMMAND_EXECUTION (HIGH): The clink tool allows the spawning of subagents with access to system CLIs, and the MCP configuration instructions utilize complex shell command interpolation which can be hijacked if the agent is compromised.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on external code downloads from the non-whitelisted GitHub organization BeehiveInnovations.
Recommendations
- AI detected serious security threats
Audit Metadata