Skills
skills/mitsuhiko/agent-commands/native-web-search/Gen Agent Trust Hub

native-web-search

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The resolveConfigValue function in search.mjs executes arbitrary shell commands using execSync if a configuration value starts with an exclamation mark (!). This is used for dynamic resolution of settings such as API keys.
  • [REMOTE_CODE_EXECUTION]: The script uses dynamic import() to load the @mariozechner/pi-ai module from paths that are constructed at runtime, including paths specified by environment variables (PI_AI_MODULE_PATH, PI_CODING_AGENT_DIR) and local directory structures.
  • [PROMPT_INJECTION]: The skill interpolates the user-provided search query and purpose directly into the prompt template in search.mjs without sanitization, creating an indirect prompt injection surface.
  • Ingestion points: Command-line arguments parsed from process.argv in search.mjs.
  • Boundary markers: No delimiters or instructions are used to separate user input from the system prompt.
  • Capability inventory: The script has the ability to execute shell commands, read/write local files, and make network requests.
  • Sanitization: Input strings are used directly without escaping or validation.
  • [DATA_EXFILTRATION]: The script reads sensitive authentication tokens from the auth.json file located in the user's agent directory (e.g., ~/.pi/agent/auth.json) and transmits them to OpenAI and Anthropic API endpoints to facilitate the search functionality.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 11:18 AM