vm0
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill downloads and automatically extracts .tar.gz archives from api.vm0.ai, which is not on the trusted source list.
- Evidence: curl -L -o artifact.tar.gz ... && tar -xzf artifact.tar.gz in references/artifacts.md and references/volumes.md.
- COMMAND_EXECUTION (LOW): The skill uses bash -c to wrap curl commands to preserve environment variables, which increases the complexity of the execution environment.
- Evidence: Frequent use of bash -c 'curl ...' throughout SKILL.md and reference files.
- DATA_EXFILTRATION (LOW): Authentication tokens are transmitted to the external domain api.vm0.ai.
- Evidence: Authorization headers containing VM0_TOKEN or VM0_API_KEY are sent to https://api.vm0.ai/v1/ during API calls.
- PROMPT_INJECTION (LOW): A surface for Indirect Prompt Injection exists through the ingestion of untrusted data from agent logs, artifacts, and volumes.
- Ingestion points: references/artifacts.md (artifacts), references/volumes.md (volumes), and references/runs.md (logs).
- Boundary markers: Absent.
- Capability inventory: Shell execution (bash -c), file extraction (tar), and network access (curl).
- Sanitization: Absent.
Audit Metadata