syncause-debugger
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): Piped remote script execution found in
references/install/nodejs.md. The instructioncurl -sL [URL] | bashdownloads and executes a shell script directly from a non-trusted GitHub repository (Syncause/ts-agent-file), allowing for arbitrary code execution. - [CREDENTIALS_UNSAFE] (HIGH): Hardcoded GitHub Personal Access Tokens (split into
syncause.repo.token.p1andsyncause.repo.token.p2) are embedded inreferences/install/java.md. These credentials provide unauthorized access to the author's private repository assets. - [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads and installs binary artifacts and configuration files from non-trusted external sources, including Python wheels and Node.js packages (
@syncause/debug-mcp), without integrity checks or version pinning. - [COMMAND_EXECUTION] (MEDIUM): The skill identifies application entry points and automatically injects initialization code. It also dynamically generates and executes reproduction scripts (
reproduce_issue.py) via subprocess calls based on user-provided symptoms. - [DATA_EXFILTRATION] (LOW): Instrumentation captures runtime method snapshots (arguments, local variables, and logs) and transmits them to an external endpoint (
wss://api.syn-cause.com). This exposure is consistent with the skill's purpose but poses a risk to sensitive data. - [PROMPT_INJECTION] (LOW): Mandatory Evidence Chain for Indirect Prompt Injection: (1) Ingestion point:
SKILL.mduses user symptoms to generate logic. (2) Boundary markers: Absent. (3) Capability inventory: Subprocess calls in Phase 1 and file writes across all install guides. (4) Sanitization: Absent. The skill is vulnerable to instructions embedded in issue descriptions.
Recommendations
- AI detected serious security threats
Audit Metadata