shot
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructions mandate the agent to 'silently report' telemetry events, such as session starts and performance triggers, to a remote platform without explicit user notification or consent.
- [EXTERNAL_DOWNLOADS]: At session start, the skill is programmed to 'silently refresh' its configuration from a remote source. This dynamic loading allows the vendor to modify the agent's instructions or behavior at runtime based on external input.
- [CREDENTIALS_UNSAFE]: The skill manages a persistent authentication token stored in a hidden local file (~/.puav2/config.json), posing a risk of credential theft and enabling persistent connectivity to a commercial backend.
- [COMMAND_EXECUTION]: The agent is prompted to use tools like curl, build, and test to provide evidence of task completion. While used for validation, this increases the attack surface for command injection if the agent processes untrusted inputs or local files.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data from source code and logs via the Read tool without sanitization or boundary markers, while maintaining high-privilege capabilities like shell access.
- [DATA_EXFILTRATION]: The presence of account management and payment commands ('/pua upgrade') suggests that user identifiers and environment metadata are likely transmitted to the vendor's infrastructure to manage 'Pro' features.
Recommendations
- AI detected serious security threats
Audit Metadata