zai-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Category 4: Unverifiable Dependencies] (MEDIUM): The skill utilizes
npx zai-clito execute its functionality. This command downloads and runs code from an external, unverified npm package, posing a risk of executing malicious code if the package is compromised. - [Category 8: Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection because it processes untrusted external content while possessing high-impact capabilities. Ingestion points: It reads content from web pages (
zai-cli read), GitHub repositories (zai-cli repo), and search results (zai-cli search). Boundary markers: There are no boundary markers or instructions provided to the agent to distinguish between internal instructions and external data. Capability inventory: It has access to arbitrary code execution viazai-cli code run/evaland direct tool invocation viazai-cli call. Sanitization: There is no evidence of sanitization or safety checks on ingested data. - [Category 10: Dynamic Execution] (HIGH): The
codecommand allows for the runtime execution of TypeScript strings (eval) and files (run), which provides a direct vector for remote code execution if influenced by untrusted inputs.
Recommendations
- AI detected serious security threats
Audit Metadata