Skills
skills/steipete/clawdis/blucli/Gen Agent Trust Hub

blucli

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's installation metadata specifies 'go install github.com/steipete/blucli/cmd/blu@latest'. The repository 'steipete/blucli' is not a trusted source according to defined security protocols, and installing the '@latest' version introduces risks if the source repository is compromised.
  • [COMMAND_EXECUTION] (SAFE): The skill uses the 'blu' binary to control audio hardware (playback, volume, grouping). These actions align with the primary purpose of the skill and do not involve unauthorized system access.
  • [PROMPT_INJECTION] (LOW): The skill exhibits surface for Indirect Prompt Injection. 1. Ingestion points: Data entering through 'blu' command output (device names, status, TuneIn search results). 2. Boundary markers: None specified. 3. Capability inventory: Execution of 'blu' CLI tool via subprocess. 4. Sanitization: None mentioned. While exploitable if an attacker controls device names or TuneIn results, the impact is limited by the CLI's scoped capabilities.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:47 PM