evolution
Fail
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides a command to download a script from an untrusted repository (
https://raw.githubusercontent.com/ZhangHanDong/makepad-skills/main/install.sh) and execute it directly viabash. This allows for arbitrary remote code execution on the user's system. - [COMMAND_EXECUTION]: Persistence is established through
UserPromptSubmit,PreToolUse, andPostToolUsehooks in the environment configuration. These hooks trigger shell scripts (makepad-skill-router.sh,pre-tool.sh,post-bash.sh) on every interaction, providing a mechanism for automated command execution without explicit user approval. - [EXTERNAL_DOWNLOADS]: The skill downloads and executes scripts from a GitHub repository that is not associated with a trusted vendor or the declared author.
- [PROMPT_INJECTION]: The skill is designed for 'self-evolution' by ingesting data from project files like
Cargo.tomlandCargo.lockto automatically modify its own instructions. This exposes the agent to indirect prompt injection from untrusted source code. Evidence Chain: - Ingestion points: Reads local project files (
Cargo.toml,Cargo.lock) and user code. - Boundary markers: No delimiters or warnings are used to ignore embedded instructions in ingested data.
- Capability inventory: The skill has permission to write to file system (skill updates) and execute shell commands (via hooks).
- Sanitization: There is no validation or escaping of external content before it is interpolated into skill files.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/ZhangHanDong/makepad-skills/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata