agentic-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The Dockerfile section contains the command 'curl -fsSL https://claude.ai/install.sh | sh'. This piped-to-shell pattern is a confirmed detection of remote script execution from an external URL, which executes unverified code with system privileges.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill references and downloads software from external domains (claude.ai) and utilizes multiple third-party MCP servers (Playwright, Supabase, Firecrawl) without version pinning or integrity validation.
- [COMMAND_EXECUTION] (HIGH): The skill explicitly grants and instructs the use of the 'Bash' tool and provides commands for arbitrary shell execution (e.g., '!cmd' and 'shell' via Codex), creating a high-risk capability profile.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection through external data ingestion. 1. Ingestion points: Pull request metadata/diffs via 'gh pr checkout' and arbitrary web content via Firecrawl MCP. 2. Boundary markers: Absent; there are no instructions to delimit or ignore instructions embedded in the external content. 3. Capability inventory: Access to 'Bash', 'Write', and 'Read' tools allows for potential compromise if the agent obeys instructions in the data. 4. Sanitization: Absent; external data is processed directly without filtering.
Recommendations
- HIGH: Downloads and executes remote code from: https://claude.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata