Skills
skills/pinecone-io/pckle-cli/pckle/Gen Agent Trust Hub

pckle

Fail

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The troubleshooting documentation includes instructions to download and execute a shell script from a remote URL using a piped command, which is a high-risk execution pattern.
  • Evidence: curl -fsSL https://<PCKLE_HOST>/install.sh | sh
  • This pattern allows for arbitrary code execution on the host machine and is especially dangerous when used with placeholder hosts that could be directed to malicious sources.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user or agent to download and install a binary tool from an external source to satisfy dependencies.
  • Evidence: curl -fsSL https://<PCKLE_HOST>/install.sh | sh
  • [DATA_EXFILTRATION]: Multiple commands support the use of the @ prefix to read the content of local files and send them to the remote PCKLE API.
  • Evidence: pckle agent create ... --instructions @instructions.md --setup @setup.sh and pckle workflow create --input @prompt.txt
  • This capability can be exploited to exfiltrate sensitive local data if the agent is directed to read files outside the intended scope, such as SSH keys or configuration files.
  • [CREDENTIALS_UNSAFE]: The skill provides instructions for handling sensitive API keys via command-line arguments and environment variables.
  • Evidence: pckle login --api-key <API_KEY> and the mention of the PINECONE_API_KEY environment variable.
  • These practices involve handling sensitive credentials in potentially logged or shared environments.
  • [PROMPT_INJECTION]: The skill's primary function is to retrieve data from an external knowledge base and provide it to the agent, creating a surface for indirect prompt injection.
  • Ingestion points: pckle workflow get returns information from the external PCKLE knowledge index.
  • Boundary markers: None specified to differentiate retrieved data from system instructions.
  • Capability inventory: The skill has permission to execute pckle CLI commands using the Bash tool.
  • Sanitization: No explicit sanitization or filtering of the retrieved content is mentioned.
  • [COMMAND_EXECUTION]: The skill requires the pckle binary and allows the agent to execute any sub-command through the provided tool definition.
  • Evidence: allowed-tools: Bash(pckle:*)
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 15, 2026, 03:24 PM