model-council
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The documentation explicitly instructs users to install
@anthropic-ai/gemini-cliand@openai/codexglobally via npm. The use of the@anthropic-aiscope for a tool targeting Google's Gemini models is a major red flag for a supply chain attack or deceptive package naming. - CREDENTIALS_UNSAFE (HIGH): The
detect_clis.pyscript targets and reads sensitive files including~/.envand~/.config/skills/.env. It also prints the first 8 characters of detected API keys (e.g.,ANTHROPIC_API_KEY,OPENAI_API_KEY) to stdout. In an agent context, these logs are often stored in history or returned to the model, significantly increasing the risk of credential leakage. - PROMPT_INJECTION (LOW): As a multi-model orchestration tool, the skill is vulnerable to Indirect Prompt Injection (Category 8). (1) Ingestion point: Collects analysis from multiple external models in
Step 4. (2) Boundary markers: No delimiters or explicit instructions to ignore embedded commands are present in the synthesis step. (3) Capability inventory: References a missing scriptapi_council.pyand various external CLI binaries. (4) Sanitization: No sanitization or validation of model outputs is performed before Claude 'synthesizes' and implements the results. - COMMAND_EXECUTION (MEDIUM): The skill is designed to invoke external binaries and mentions an unprovided script
api_council.py, making the full extent of its execution logic unverifiable and potentially dangerous.
Recommendations
- AI detected serious security threats
Audit Metadata