assistant
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The
SKILL.mdfile contains a recommendation to install theuvtool usingcurl -LsSf https://astral.sh/uv/install.sh | sh. Executing remote scripts directly in the shell is a high-risk pattern that can be exploited if the source or communication channel is compromised. This finding is not downgraded as the source 'astral.sh' is not in the trusted organization list. - External Downloads (MEDIUM): The skill depends on several external libraries (
pinecone,typer,rich) and theuvtool. The use of unverified installation methods for these dependencies increases the supply chain risk. - Indirect Prompt Injection (LOW): The skill ingests and processes user-provided documentation to provide answers, which is a known vector for indirect prompt injection where malicious instructions inside a document could subvert the agent's behavior.
- Ingestion points:
scripts/upload.pyreads local files for indexing;scripts/chat.pyandscripts/context.pyretrieve this untrusted content to generate responses. - Boundary markers: Absent; the scripts do not appear to wrap retrieved context in protective delimiters or provide 'ignore instructions' directives to the LLM.
- Capability inventory: All scripts (
scripts/chat.py,scripts/context.py,scripts/create.py,scripts/list.py,scripts/upload.py) perform network operations via the Pinecone SDK. Nosubprocess,exec, orevalcalls were detected. - Sanitization: Absent; the skill does not sanitize or validate document content before it is uploaded or used in queries.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata