rclone
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill promotes installation via the 'pipe to shell' pattern:
curl https://rclone.org/install.sh | sudo bash. - Evidence: Found in
SKILL.mdandscripts/check_setup.sh. - Risk: This method executes unverified code from a remote source with root privileges. The domain
rclone.orgis not listed in the Trusted External Sources, making this an untrusted remote execution vector. - COMMAND_EXECUTION (HIGH): The skill frequently uses
sudofor setup tasks and package management. - Evidence:
sudo bash,sudo apt install, andsudo dnf installin bothSKILL.mdandscripts/check_setup.sh. - CREDENTIALS_UNSAFE (HIGH): Configuration examples suggest passing sensitive cloud credentials directly as command-line arguments.
- Evidence:
rclone config create ... access_key_id=YOUR_ACCESS_KEY secret_access_key=YOUR_SECRET_KEYinSKILL.md. - Risk: Secrets passed via CLI are often captured in shell history files (e.g.,
~/.bash_history), exposing them to anyone with read access to the user's home directory. - PROMPT_INJECTION (LOW): Indirect Prompt Injection vulnerability surface.
- Ingestion points: User-provided or externally-sourced local file paths and remote bucket/folder names in
SKILL.md. - Boundary markers: Absent. There are no instructions to the agent to validate or sanitize these inputs against embedded control instructions.
- Capability inventory: The
rclonebinary has extensive capabilities to read/write arbitrary files and perform network transfers. The setup scripts have shell execution capabilities. - Sanitization: Absent. The skill interpolates user-provided strings directly into shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata