sec-s1-analysis
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill directs the agent to download and install packages from the 'OctagonAI' GitHub organization and the npm registry. Neither source is on the trusted list for agent skills, creating a risk of installing and running malicious code.
- [REMOTE_CODE_EXECUTION] (HIGH): Configuration steps for Cursor and Claude Desktop use 'npx -y octagon-mcp@latest', which downloads and runs code at execution time. The use of '@latest' without version pinning or hash checks makes the environment vulnerable to supply chain attacks.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because its primary function is processing untrusted SEC S-1 filings. Evidence Chain: 1. Ingestion points: Processes external S-1 documents through the 'octagon-agent' tool. 2. Boundary markers: Prompt templates in 'SKILL.md' do not use delimiters or instructions to ignore embedded commands. 3. Capability inventory: The 'octagon-agent' has access to web scraping and research tools, which an attacker could exploit via a malicious filing. 4. Sanitization: No sanitization or filtering logic is present in the provided files.
- [COMMAND_EXECUTION] (MEDIUM): Setup instructions involve shell commands that set environment variables and execute scripts directly ('cmd /c' and 'env'), which can be used to execute arbitrary commands if tampered with.
- [CREDENTIALS_UNSAFE] (LOW): Users are instructed to store 'OCTAGON_API_KEY' in clear-text config files, exposing the secret to any process that can read those files.
Recommendations
- AI detected serious security threats
Audit Metadata