shortio
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill utilizes
bash -cto execute commands with environment variable interpolation (e.g.,${SHORTIO_API_KEY},${LINK_ID}). While this is used as a workaround for environment variable persistence in piped commands, it creates a potential surface for command injection if the variables are populated with unsanitized user input. - [DATA_EXFILTRATION] (LOW): Performs network operations using
curltoapi.short.io. While this is the legitimate endpoint for the service described, the domain is not on the pre-approved whitelist for automated exfiltration analysis, warranting a LOW severity classification for the network access finding. - [DATA_EXPOSURE] (SAFE): Sensitive information (API Key) is correctly handled through the
vm0_secretsmechanism rather than being hardcoded. The use of/tmp/shortio_request.jsonfor staging JSON payloads is a standard practice for CLI-based agents and does not constitute a high-risk data exposure in this context.
Audit Metadata