autocli
Fail
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions recommend installing the core autocli binary by piping a remote script from GitHub directly into the shell.
- Evidence: The command
curl -fsSL https://raw.githubusercontent.com/nashsu/AutoCLI/main/scripts/install.sh | shexecutes unverified code with user privileges. - [DATA_EXFILTRATION]: The skill is designed to access and retrieve sensitive personal information by leveraging the user's logged-in web sessions.
- Evidence: Commands such as
twitter bookmarks,weread highlights, andbilibili historyallow the agent to read private user data. - [COMMAND_EXECUTION]: The skill grants the agent the ability to execute the autocli binary and provides passthrough access to powerful system utilities.
- Evidence: The agent can run
gh(GitHub CLI),docker, andkubectlcommands through the tool. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its broad ingestion of untrusted web content.
- Ingestion points: Data enters the context from social media, forums, and transcripts (SKILL.md).
- Boundary markers: No markers or warnings to ignore embedded instructions are present.
- Capability inventory: The agent has subprocess execution and file writing capabilities.
- Sanitization: No sanitization or validation of the fetched web content is documented.
- [COMMAND_EXECUTION]: The agent is instructed to dynamically generate and store YAML configuration files that define logic for scraping new websites.
- Evidence: The agent is told to write new adapters to the
~/.autocli/adapters/directory.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nashsu/AutoCLI/main/scripts/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata