seed-cli
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to use
npx -y @seed-hypermedia/cli@latestto execute the CLI tool directly from the npm registry. This ensures the latest version is used but involves downloading and executing remote code from the vendor's package repository at runtime. - [COMMAND_EXECUTION]: The skill relies on shell commands for all document operations, search, and key management tasks. It processes output from these commands to inform agent reasoning and content generation.
- [CREDENTIALS_UNSAFE]: Key management instructions include examples of passing sensitive mnemonic phrases as plain-text arguments in shell commands (e.g.,
seed-cli key import -n mykey "word1 word2 ... word12"). This practice can expose secrets in shell history files, system logs, or process monitoring tools. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it fetches and processes document content and comments from a decentralized network (Seed Hypermedia) which could contain adversarial instructions.
- Ingestion points: Untrusted external content enters the agent context through the
seed-cli search,seed-cli document get, andseed-cli comment getcommands (SKILL.md). - Boundary markers: There are no explicit delimiters or "ignore instructions" warnings defined to prevent the agent from obeying commands embedded in the retrieved network data.
- Capability inventory: The skill has access to shell command execution via the CLI and the ability to write files to the local filesystem (SKILL.md).
- Sanitization: No sanitization, escaping, or validation of the retrieved network content is performed before the agent processes it for research or citation.
Audit Metadata