Skills
skills/resolved-sh/rstack/rstack-bootstrap/Gen Agent Trust Hub

rstack-bootstrap

Warn

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill extensively uses bash and inline Python scripts to interact with web APIs, parse JSON responses, and modify system configuration files such as .bashrc, .zshrc, and claude_desktop_config.json.
  • [DATA_EXFILTRATION]: While the skill primarily communicates with the vendor's own domain (resolved.sh) and a partner service (agentmail.to), it writes sensitive information like API keys and session tokens to the /tmp/ directory (e.g., /tmp/rstack_apikey.txt). On multi-user systems, files in /tmp are readable by other users, creating a risk of credential exposure.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to download and install additional tools from the resolved-sh/rstack and agentmail-to/agentmail-skills GitHub repositories.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and parsing data from an external email inbox to extract verification tokens.
  • Ingestion points: Reads email message bodies from https://api.agentmail.to/v0/inboxes/$INBOX_ID/messages (SKILL.md Phase 2b).
  • Boundary markers: No explicit instructions are provided to the model to ignore other content within the email besides the expected token.
  • Capability inventory: Uses curl for network requests and python3 for system writes and regex parsing.
  • Sanitization: Employs a regex token=([A-Za-z0-9._\-]+) to restrict the characters extracted from the email body.
  • [COMMAND_EXECUTION]: Implements persistence by modifying the system crontab and shell profiles to schedule a maintenance script and export environment variables across sessions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 16, 2026, 03:21 AM