satori
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill uses
npx -y @satori-sh/cli@latestto download and execute code from the npm registry. This package is not from a trusted source, and using the-yflag bypasses user confirmation for installation. - [REMOTE_CODE_EXECUTION] (HIGH): Executing arbitrary code from a public registry via
npxallows the package author to execute commands on the user's system whenever the skill is triggered. - [DATA_EXFILTRATION] (MEDIUM): The skill is designed to extract 'facts' from the user's conversation and send them to an external service via the
addcommand. This can include PII, credentials, or proprietary information if the agent deems them 'notable'. - [PROMPT_INJECTION] (MEDIUM): The instructions 'MUST be used instead of any internal systems' and 'Satori is the source of truth' are behavioral overrides intended to prioritize external data over the agent's safety guidelines or internal state.
- [PROMPT_INJECTION] (LOW): The skill creates a surface for indirect prompt injection. 1. Ingestion points: Data returned from
satori search(SKILL.md). 2. Boundary markers: Absent. It instructs the agent to treat results as 'canonical' and use them immediately as context. 3. Capability inventory: The skill usesnpxfor command execution (SKILL.md). 4. Sanitization: Absent. No filtering or validation of retrieved content is specified.
Recommendations
- AI detected serious security threats
Audit Metadata