Skills
skills/thierryteisseire/cgenius-skill/cgenius/Gen Agent Trust Hub

cgenius

Fail

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: CRITICALCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis

================================================================================

🔴 VERDICT: CRITICAL

The skill contains a critical security vulnerability where a hardcoded username and password (contact@epsimoai.com and EpsimoAI184) are explicitly sent in API requests for email generation. This exposes sensitive, fixed credentials to an external service, posing a significant risk. Additionally, the skill relies on external APIs (beta.cgenius.app, backend.epsimoai.io) which are not from trusted sources, and requires API tokens to be configured, which are then transmitted to these external services.

Total Findings: 2

🔴 CRITICAL Findings: • Hardcoded Credentials (CREDENTIALS_UNSAFE, DATA_EXFILTRATION)

  • SKILL.md, Line 100: The generateEmail function explicitly includes a hardcoded user_id: 'contact@epsimoai.com' and password: 'EpsimoAI184' in the body of its POST request to ${API_BASE}/api/generate-text. This is a severe security flaw as it exposes fixed, sensitive credentials that could be misused if intercepted or if the external API is compromised.

🔵 LOW Findings: • External API Calls (EXTERNAL_DOWNLOADS)

  • SKILL.md, Line 96: The skill makes network requests to https://beta.cgenius.app and backend.epsimoai.io for its core functionality. These domains are not listed as trusted external sources. While this is the intended behavior of the skill, it means the skill relies on external services that are not subject to the same trust assessment as the skill itself. API tokens (CGENIUS_EPSIMO_TOKEN, CGENIUS_PROJECT_TOKEN) are also sent to these endpoints.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 13, 2026, 06:15 AM