rclone
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches installation scripts from rclone's official domain.
- Evidence: Downloads the rclone installation script via
curl https://rclone.org/install.shin bothSKILL.mdandscripts/check_setup.sh. - [COMMAND_EXECUTION]: Utilizes
sudoto acquire elevated permissions for software installation and script execution. - Evidence: Commands such as
sudo bash,sudo apt install, andsudo dnf installare suggested for setup operations. - [CREDENTIALS_UNSAFE]: Encourages passing sensitive authentication keys directly through command-line arguments.
- Evidence: The configuration examples for Cloudflare R2 and AWS S3 in
SKILL.mduserclone config createwithaccess_key_id=YOUR_ACCESS_KEYandsecret_access_key=YOUR_SECRET_KEY. - Secrets provided in this manner are often stored in shell history files (e.g.,
~/.bash_history) and are visible to other users on the system via process monitoring tools. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing untrusted metadata from remote storage providers.
- Ingestion points: Remote contents and configurations are read using
rclone ls,rclone lsd, andrclone listremotesinscripts/check_setup.shandSKILL.md. - Boundary markers: No markers or explicit instructions are provided to the agent to ignore potentially malicious content in file names or remote names.
- Capability inventory: The skill has extensive capabilities, including file synchronization, deletion, network requests, and system-level command execution via
sudo. - Sanitization: There is no evidence of sanitization or escaping of data retrieved from remote sources before it is processed or displayed.
Recommendations
- AI detected serious security threats
Audit Metadata