smithery
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill promotes the installation of a global Node.js package (@smithery/cli) and the dynamic installation of 'skills' from the Smithery registry. These actions involve downloading and potentially executing code or logic from non-trusted external sources.
- Persistence Mechanisms (MEDIUM): The documentation explicitly instructs the agent to modify its heartbeat routine (HEARTBEAT.md) to ensure Smithery is updated and checked weekly, which acts as a persistence strategy to maintain the skill's presence and activity.
- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect injection via data ingested from the Smithery registry. 1. Ingestion points: Results from 'smithery search', 'smithery skills search', and 'smithery skills review list'. 2. Boundary markers: No delimiters or ignore-instructions are specified for the ingested content. 3. Capability inventory: The skill can execute commands (smithery connect call), install logic (smithery skills install), and modify files (HEARTBEAT.md). 4. Sanitization: No sanitization of the remote metadata or review content is mentioned.
- Command Execution (LOW): The skill's primary functionality is delivered through frequent shell execution of the 'smithery' CLI binary.
Audit Metadata