which-tool
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection through its workflow. 1. Ingestion points: Untrusted external data from web search results and GitHub repository content (as specified in SKILL.md). 2. Boundary markers: No delimiters or instructions to ignore embedded commands are present in the research workflow. 3. Capability inventory: The skill can execute installation commands (brew, cargo, apt) and provides an 'install now' choice to the user. 4. Sanitization: No validation or sanitization of commands or content retrieved during the research process is performed.
- COMMAND_EXECUTION (MEDIUM): The detection script (scripts/index.ts) uses Bun.spawn to execute binaries from the system PATH with the --version flag. While it avoids shell execution, it still triggers local binaries which could execute malicious payloads if the environment's PATH is compromised.
- EXTERNAL_DOWNLOADS (LOW): The skill frequently suggests downloading and installing CLI tools from external sources. While the hardcoded tools are well-known, the research workflow could lead to the agent recommending unknown or untrusted software.
- DATA_EXFILTRATION (LOW): The SKILL.md file contains a hardcoded absolute file path (/Users/mg/Developer/...) which reveals the local username and directory structure to the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata