offworld
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The file
references/installation.mdcontains instructions for the agent to execute untrusted remote scripts viacurl -fsSL https://opencode.ai/install | bashandcurl -fsSL https://offworld.sh/install | bash. Piped remote execution from non-whitelisted domains is a primary vector for arbitrary code execution and system compromise. - [EXTERNAL_DOWNLOADS] (HIGH): The skill utilizes the
ow pull <owner/repo>command to clone external, third-party codebases into the local environment. This bypasses typical safety boundaries by bringing large amounts of untrusted code into the agent's context. - [COMMAND_EXECUTION] (HIGH): The skill requests and uses broad
Bash(ow:*)permissions. This allows the execution of a complex CLI tool (ow) which performs high-privilege operations such as initializing agent configurations, setting model providers (ow init --model), and scanning project dependencies. - [INDIRECT_PROMPT_INJECTION] (HIGH):
- Ingestion points:
ow pullandow map searchingest data from external GitHub repositories and remote maps. - Boundary markers: None present. There are no instructions to the agent to treat cloned code or generated references as untrusted or to ignore embedded instructions.
- Capability inventory: The agent has
BashandReadcapabilities, allowing it to execute commands or read files based on malicious instructions found in cloned repos. - Sanitization: No evidence of sanitization for the content processed from external repositories.
Recommendations
- AI detected serious security threats
Audit Metadata