api-client
Fail
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The default password '123456789MikoPBX#1' is hardcoded as a fallback in 'scripts/api-request.sh' and documented as a default in 'README.md' and 'SKILL.md'.\n- [COMMAND_EXECUTION]: The 'scripts/api-request.sh' script constructs shell commands by interpolating user-provided variables (METHOD, ENDPOINT, DATA, JSON_PAYLOAD) into a string executed via 'bash -c' inside a Docker container. The script fails to escape single quotes in these variables, allowing an attacker to execute arbitrary commands by breaking out of the quoted strings inside the container context.
Recommendations
- AI detected serious security threats
Audit Metadata