Skills
skills/mitsuhiko/agent-stuff/native-web-search/Gen Agent Trust Hub

native-web-search

Warn

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The resolveConfigValue function in search.mjs executes arbitrary shell commands using execSync when a configuration value in auth.json is prefixed with an exclamation mark (!). This allows for command execution if the local configuration file is modified.
  • [REMOTE_CODE_EXECUTION]: The skill utilizes dynamic module loading in loadPiAi, searching for and importing the @mariozechner/pi-ai module from paths that include the current working directory and user-defined environment variables. This could lead to the execution of malicious code if the skill is run in a compromised directory.
  • [CREDENTIALS_UNSAFE]: The script manages sensitive API keys and OAuth tokens for OpenAI and Anthropic, storing them in plain text within a local configuration file (~/.pi/agent/auth.json).
  • [PROMPT_INJECTION]: The skill is susceptible to both direct and indirect prompt injection. It lacks sanitization for user-provided query and purpose strings and does not use boundary markers when processing untrusted web search results.
  • Ingestion points: Web search results processed by the LLM tools in search.mjs.
  • Boundary markers: Absent.
  • Capability inventory: Shell command execution via execSync in search.mjs.
  • Sanitization: None.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 15, 2026, 05:00 PM