multi-ai-consultant
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Persistence Mechanisms (HIGH): The script
scripts/setup-apis.shmodifies the user's~/.bashrcfile to append export commands for API keys. Modifying shell startup files is a high-risk behavior as it ensures specific code or configurations persist across every new terminal session. - Unverifiable Dependencies (MEDIUM): The
scripts/setup-apis.shscript installs thecodexnpm package globally. This package is not associated with a trusted organization in the security policy, making its installation a potential vector for supply-chain attacks or arbitrary code execution during the global installation process. - Credential Management (MEDIUM): The setup script prompts the user for Gemini and OpenAI API keys and writes them into
~/.bashrcin plaintext. This exposes secrets to any process or user with read access to the shell profile. - External Downloads (LOW): The script installs the
@google/generative-ai-clipackage. While this is an external dependency, the risk is mitigated because it originates from a trusted organization ('google') according to the security policy.
Recommendations
- AI detected serious security threats
Audit Metadata