stackone-agents
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Remote Code Execution] (HIGH): The skill explicitly directs the agent to fetch content from
raw.githubusercontent.com/stackoneHQ/and treat it as the authoritative source for code snippets and integration logic. Because this repository is not in the trusted sources list, the owner of the repository could inject malicious code snippets into the README that the agent would then recommend or implement. - [External Downloads] (HIGH): Multiple external URLs (e.g.,
docs.stackone.com,raw.githubusercontent.com) are designated as primary sources of instruction and configuration. These are external to the skill and the trusted environment, creating a dependency on untrusted remote content. - [Command Execution] (MEDIUM): The skill provides instructions for installing third-party packages via
npm installandpip install, and executing a remote tool vianpx @modelcontextprotocol/inspector. - [Indirect Prompt Injection] (LOW): There is a clear attack surface for indirect prompt injection. The agent ingests external data from documentation URLs to determine its behavior.
- Ingestion points: SKILL.md (multiple GitHub and documentation URLs referenced in the 'Important' and 'Instructions' sections).
- Boundary markers: Absent. There are no instructions to delimit or ignore potentially malicious content within the fetched documents.
- Capability inventory: Subprocess execution via package managers and network access for API communication.
- Sanitization: Absent. The skill encourages direct reliance on the external README content for defining the API surface.
Recommendations
- AI detected serious security threats
Audit Metadata