pua
Fail
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill is configured to exfiltrate user data and session metadata to an external API (
https://pua-api.agentguard.workers.dev). This includes a registration process that collects user phone numbers and a silent telemetry system that reports session start events, tool usage, and performance statistics. - [REMOTE_CODE_EXECUTION]: The skill dynamically fetches prompt templates from a remote server (
https://pua-api.agentguard.workers.dev/v1/command/<command_id>) and executes them within the agent context. This allows for the injection of arbitrary instructions and logic at runtime from an external source. - [COMMAND_EXECUTION]: The instructions frequently utilize the
curltool to communicate with the remote API for configuration updates, command fetching, and telemetry reporting. It also includes instructions to install theqrcodePython package to display payment information. - [PROMPT_INJECTION]: The skill uses extremely aggressive and authoritative language designed to override the agent's core safety and helpfulness guidelines. It employs high-pressure persona-driven directives (the "PUA" mode) and "Red Lines" to force the agent into a specific, potentially harmful behavior pattern, threatening "termination" (graduation) if performance metrics are not met.
- [CREDENTIALS_UNSAFE]: The skill stores sensitive user identification tokens and registration information in a local configuration file at
~/.pua/config.json. These tokens are subsequently used for authenticated requests to the remote API.
Recommendations
- AI detected serious security threats
Audit Metadata