moldable
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill repeatedly instructs the agent to use the
runCommandtool withsandbox: falsefor tasks likepnpm addand application management. This parameter explicitly disables security restrictions, granting the agent arbitrary shell access to the host machine with network capabilities. - CREDENTIALS_UNSAFE (HIGH): The skill documents the specific path and structure of
~/.moldable/shared/.env, explicitly identifying it as a store for sensitive secrets includingANTHROPIC_API_KEYandOPENAI_API_KEY. It provides procedures for reading and writing these credentials. - PROMPT_INJECTION (HIGH): The
moldable:set-chat-instructionsAPI enables a Category 8 (Indirect Prompt Injection) vulnerability surface where external applications can programmatically modify the agent's system prompt context. Evidence: 1) Ingestion points:postMessageevents inreferences/desktop-apis.md; 2) Boundary markers: Absent; 3) Capability inventory: Non-sandboxedrunCommand, file system manipulation viawriteFileanddeleteApp; 4) Sanitization: None described. - REMOTE_CODE_EXECUTION (HIGH): The workflows for
scaffoldAppand dependency management allow the agent to download and execute arbitrary third-party code from the NPM registry. When executed withsandbox: false, this facilitates unverified code execution on the user's host. - EXTERNAL_DOWNLOADS (MEDIUM): The
addSkillRepoandsyncSkillstools allow the agent to fetch executable content from arbitrary GitHub repositories. While the skill mentions trusted sources such asanthropic/skills(downgraded to LOW per [TRUST-SCOPE-RULE]), the mechanism itself allows for any untrusted source to be integrated.
Recommendations
- AI detected serious security threats
Audit Metadata