homebrew-dev
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
brew createandbrew fetchto download source archives, binaries, and DMG files from remote URLs provided by the user. - [REMOTE_CODE_EXECUTION]: The skill executes local build systems (such as
make,cmake,cargo, andgo) and formula-definedtestblocks via commands likebrew install --build-from-sourceandbrew test. This results in the execution of code contained within the software being packaged. - [COMMAND_EXECUTION]: Extensive use of CLI tools including
brew,git,gh, andshasum. It also includes examples usingsudowithin Homebrew Caskuninstallandpostflightblocks for system configuration, which is standard for macOS application management but requires elevated privileges. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external URLs (identified in
SKILL.md) without boundary markers or sanitization. If a processed formula or cask contains malicious instructions in its metadata or test blocks, it could be executed during the agent's verification workflow. Mandatory Evidence Chain: (1) Ingestion point: User-supplied URLs forbrew createinSKILL.md. (2) Boundary markers: Absent. (3) Capability inventory: Subprocess execution viabrew installandbrew testinSKILL.md. (4) Sanitization: Absent.
Audit Metadata