intercom-crm
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation recommends installation and setup via
curl -sSL https://canifi.com/skills/intercom-crm/install.sh | bashandcurl -sSL https://canifi.com/install.sh | bash. This pattern executes remote, unverified code with user privileges, bypassing package manager security controls. - [COMMAND_EXECUTION]: The skill utilizes a custom CLI tool,
canifi-env, for system configuration. This tool is downloaded and executed from a remote source without integrity verification. - [CREDENTIALS_UNSAFE]: Users are instructed to store sensitive credentials—including
INTERCOM_ACCESS_TOKENand service passwords—using thecanifi-envutility. Storing passwords via command-line arguments can also expose them in shell history. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from external sources.
- Ingestion points: The skill retrieves conversation logs, user profiles, and help center articles from the Intercom API (
/conversations,/contacts,/articles). - Boundary markers: There are no delimited structures or specific instructions to the agent to disregard commands embedded within the retrieved messaging content.
- Capability inventory: The agent has the ability to send replies, create users, and modify help center articles based on its interpretation of the data.
- Sanitization: There is no evidence of sanitization or filtering of the incoming message data before it is interpreted by the agent's logic.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/install.sh, https://canifi.com/skills/intercom-crm/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata