physical
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The bash script in
SKILL.mdutilizes a broad file system search (find ~) to locate its execution script. This pattern is risky as it could identify and execute a malicious file with the same name if placed in the user's home directory. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on data from a non-trusted GitHub repository (
laris-co/nat-location-data). Since this source is external and unverified, the data (CSV files) could be manipulated to provide false information or embed malicious payloads. - [REMOTE_CODE_EXECUTION] (LOW):
location-query.tsuses Bun's shell wrapper ($) to call the GitHub CLI (gh). While the current implementation uses hardcoded filenames, the use of a shell wrapper for API calls is a brittle pattern that can lead to command injection if improperly extended. - [PROMPT_INJECTION] (LOW): (Category 8) The skill creates a surface for Indirect Prompt Injection by processing untrusted CSV data without sanitization or boundary markers.
- Ingestion points:
location-query.tsfetches CSV content from GitHub. - Boundary markers: None. The data is parsed and directly interpolated into the output template in
SKILL.md. - Capability inventory: The skill can execute shell commands via Bun and the GitHub CLI.
- Sanitization: None. The manual CSV parser splits columns but does not validate or escape the content of the fields (e.g., 'address' or 'locality').
Audit Metadata