companion-clis
Fail
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Fetches and executes installation scripts from well-known official sources, such as HuggingFace (hf.co) and Docker (get.docker.com), to set up the respective CLI environments.\n- [COMMAND_EXECUTION]: Instructs the agent to execute shell commands using the Bash tool for a wide range of tasks, including repository cloning, container builds, and cloud storage management.\n- [DATA_EXFILTRATION]: Mentions and accesses sensitive local files and paths, including SSH private keys (~/.ssh/id_ed25519), AWS credential stores, and Docker authentication tokens. This access is inherent to the functionality of the documented tools, and no unauthorized network exfiltration of this data was observed.\n- [PROMPT_INJECTION]: The skill facilitates the retrieval of external, untrusted content from GitHub and HuggingFace, which creates a potential surface for indirect prompt injection attacks.\n
- Ingestion points: Untrusted data enters the context through repository cloning (gh repo clone) and model downloads (hf download) documented in SKILL.md.\n
- Boundary markers: No explicit delimiters or warnings are present to mitigate the risk of instructions embedded in the external content.\n
- Capability inventory: The skill utilizes Bash for subprocess execution, network operations, and file system modifications.\n
- Sanitization: No mechanisms for sanitizing or validating the downloaded external content are specified.
Recommendations
- HIGH: Downloads and executes remote code from: https://hf.co/cli/install.sh, https://get.docker.com - DO NOT USE without thorough review
Audit Metadata