borkdude
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill includes a propagation script (
propagate-skill!) that reads files from a source directory and writes them to various agent skill directories (e.g.,.claude/skills/). This capability allows for potential lateral movement of malicious skill definitions across different agent environments. - Ingestion points:
slurpinSKILL.mdreads content from.ruler/skills/[skill-name]/SKILL.md. - Boundary markers: Absent. The content is copied directly without delimiters or instruction-ignore warnings.
- Capability inventory: File writing (
spit), directory creation (fs/create-dirs), and execution of multiple runtimes (bb,npx,sci). - Sanitization: Absent. There is no validation or filtering of the content being propagated.
- [Remote Code Execution] (MEDIUM): The skill utilizes
npxto download and execute code from the npm registry for tools likenbb,squint, andcherry. It also employs the Babashka pod system (pods/load-pod) to download and load external binary extensions, which are not from trusted sources. - [Command Execution] (MEDIUM): The skill implements the Small Clojure Interpreter (SCI) via
sci/eval-string*, enabling dynamic execution of code strings at runtime. This creates an attack surface for code injection if evaluated strings incorporate external data. - [External Downloads] (LOW): The skill references an external JavaScript dependency (
scittle) hosted on the jsDelivr CDN, which is used for browser-based execution.
Recommendations
- AI detected serious security threats
Audit Metadata