asc-plugins
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the installation and execution of arbitrary local binaries or scripts through the plugin management system.
- [COMMAND_EXECUTION]: The documentation provides explicit instructions to use
chmod +xon local scripts to grant them execution privileges, which is a potential security risk for dynamically created files. - [REMOTE_CODE_EXECUTION]: The
asc plugins install <path>command allows for the installation of code from any local directory, which is then executed automatically by theascCLI during lifecycle events, potentially executing malicious code if an untrusted path is provided. - [COMMAND_EXECUTION]: The skill implements a persistence mechanism where plugins stored in
~/.asc/plugins/are automatically triggered by CLI events like build uploads, allowing for hidden or unexpected background task execution. - [COMMAND_EXECUTION]: The plugin protocol creates an attack surface for Indirect Prompt Injection as it processes event data without specified sanitization, passing it directly to executables with broad system capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata