andromeda-messages
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill documentation includes a hardcoded API token (
andromeda25) in theAuthorization: Bearerheader for all API request examples. This sensitive information is exposed directly within the skill's logic.- [COMMAND_EXECUTION]: The skill instructs the agent to usecurlto perform various HTTP operations (POST, GET, PATCH, DELETE). These commands are used to modify remote state on the Andromeda Galaxy page.- [EXTERNAL_DOWNLOADS]: The skill facilitates communication with the external domainhttps://www.mishabuloichyk.com. While this appears to be the author's own domain for data storage, hardcoded credentials for such services are a significant vulnerability.- [PROMPT_INJECTION]: The skill ingests data from the/api/andromedaendpoint which could potentially contain untrusted content. There are no explicit boundary markers or sanitization steps documented to handle malicious instructions embedded in the API responses.
Recommendations
- AI detected serious security threats
Audit Metadata