feature-video
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes shell commands using variables such as
[number],[base-url], and[updated body]which are sourced from user input or remote PR metadata. Lack of proper escaping or sanitization of these variables before shell interpolation allows for potential arbitrary command execution if a malicious actor provides input containing shell metacharacters like backticks or semicolons. - [EXTERNAL_DOWNLOADS]: During setup, the skill executes
npm install -g agent-browser, which downloads and installs a package globally from the NPM registry. While NPM is a standard service, installing global packages at runtime introduces risks associated with dependency integrity and the execution of third-party code. - [DATA_EXFILTRATION]: The skill captures screenshots and videos of the local browser environment and utilizes
rcloneto upload these files to an external R2 bucket. This involves the transmission of potentially sensitive visual data from the local development environment to a remote storage destination. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests PR titles and descriptions to plan recording flows. Ingestion points: PR title and body via
gh pr view. Boundary markers: None present. Capability inventory: Subprocess execution for shell commands, file system writes, and network uploads. Sanitization: No evidence of input validation or output encoding for data interpolated into command strings or prompts.
Audit Metadata