headless-adapters
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill documentation instructs users to execute
@plaited/agent-eval-harnessviabunx. This involves downloading and running code from a source that is not included in the Trusted External Sources list. - [COMMAND_EXECUTION] (MEDIUM): The provided schemas (
claude-headless.jsonandgemini-headless.json) include command-line arguments designed to bypass internal security checks of the wrapped agents, specifically--dangerously-skip-permissionsfor Claude and--sandbox falsefor Gemini. - [PROMPT_INJECTION] (SAFE): No evidence of malicious prompt injection or system prompt extraction patterns was found in the skill metadata or instructions.
- [DATA_EXFILTRATION] (SAFE): No hardcoded credentials or patterns suggesting unauthorized data exfiltration were detected.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes output from external CLI tools using JSONPath. This creates an attack surface where a compromised or malicious CLI tool could output data that influences the downstream agent's behavior.
- Ingestion points:
outputEventsinclaude-headless.jsonandgemini-headless.jsonwhich process lines from the CLI's stdout. - Boundary markers: Absent in the schema configurations.
- Capability inventory: Spawning sub-processes with the command defined in the
commandfield. - Sanitization: No explicit sanitization of extracted JSONPath content is performed before emission.
Audit Metadata