anytype
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHNO_CODEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [NO_CODE] (HIGH): The core logic of the skill is housed in 'Tools/AnyType.ts', which was not provided for analysis. This prevents verification of whether the script performs unauthorized network requests, exfiltrates data, or includes malicious hidden behaviors.
- [PROMPT_INJECTION] (HIGH): The skill has a large Indirect Prompt Injection (IPI) attack surface due to the following factors:
- Ingestion points: Data is ingested from AnyType objects (Markdown body, names, snippets) via the 'get' and 'search' commands in 'Workflows/Read.md' and 'Workflows/Search.md'.
- Boundary markers: Absent. There are no delimiters or instructions to treat AnyType content as untrusted data.
- Capability inventory: The skill can create, update, and archive (delete) objects as described in 'Workflows/Tasks.md'.
- Sanitization: None provided.
- Risk: An attacker-controlled note or task within AnyType could contain instructions that trick the agent into deleting data or performing unauthorized updates when the object is read.
- [COMMAND_EXECUTION] (MEDIUM): The skill requires the 'bun' runtime to execute local TypeScript files. While standard for Bun-based skills, this involves shell-level execution of logic that cannot be inspected.
- [CREDENTIALS_UNSAFE] (MEDIUM): The skill manages a local API key stored in '~/.config/anytype-skill/config.json'. While this is a common practice for local tools, the lack of source code visibility means it's unclear how securely the script handles this sensitive token during runtime.
Recommendations
- AI detected serious security threats
Audit Metadata