gno
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
gno completion installcommand modifies shell initialization files (e.g.,.bashrc,.zshrc) to enable tab completion. This is a common persistence mechanism for CLI tools to maintain their environment across sessions. - [COMMAND_EXECUTION]: The
gno mcp installandgno skill installcommands modify AI assistant configuration files (e.g.,claude_desktop_config.json) to register thegnocommand. This represents a modification of the agent's operating environment. - [COMMAND_EXECUTION]: The
gno servecommand binds to0.0.0.0by default, which can expose the document indexing service and web UI to other devices on the network. - [EXTERNAL_DOWNLOADS]: The
gno models pullcommand downloads AI models from remote infrastructure to facilitate local embedding and AI answering capabilities. - [EXTERNAL_DOWNLOADS]: The
gno index --git-pullandgno update --git-pullflags enable the tool to synchronize with remote Git repositories, which involves fetching and potentially executing content updates from external sources. - [PROMPT_INJECTION]: The skill provides an interface for Indirect Prompt Injection through its document indexing and Q&A workflows.
- Ingestion points: Untrusted data enters the context through files processed by
gno indexandgno collection add(referenced inSKILL.mdandcli-reference.md). - Boundary markers: There are no documented delimiters or instructions to the AI agent to ignore embedded commands within retrieved document snippets.
- Capability inventory: The skill uses
Bash(gno:*)andReadtools, providing a surface for following instructions extracted from documents. - Sanitization: The documentation does not describe any validation or sanitization of the content indexed from local files.
Audit Metadata