Skills
skills/v112263/it-autonomos-spain/tests-prod-test-bitly-links/Gen Agent Trust Hub

tests-prod-test-bitly-links

Fail

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: CRITICALCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill employs python3 -c to decode URL anchors using a command string that interpolates the ${FINAL_URL#*#} shell variable. Because FINAL_URL is the result of following an external redirect, a maliciously crafted URL anchor could break out of the Python string and execute arbitrary code within the Python sub-process.
  • [EXTERNAL_DOWNLOADS]: The skill is configured to perform network requests to itautonomos.com and follow various bit.ly redirects. Automated security scans have identified https://bit.ly/example, which is used as a placeholder in the skill's documentation, as a malicious URL associated with botnet activity.
  • [DATA_EXPOSURE]: The skill accesses the local file _resources/bitly_links.json to validate link coverage. This involves reading internal project resources which, while necessary for the task, provides the agent with access to local filesystem data.
Recommendations
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 3, 2026, 05:00 PM