Skills
skills/warpdotdev/oz-agent-skill/oz/Gen Agent Trust Hub

oz

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis

The most severe findings are instructions within references/third-party-clis.md that direct the AI to download and execute shell scripts from external domains using curl ... | bash.

  1. Arbitrary Command Execution / External Downloads (CRITICAL):

    • references/third-party-clis.md, line 133: curl -fsSL https://opencode.ai/install | bash
    • references/third-party-clis.md, line 145: curl -fsSL https://app.factory.ai/cli | sh These commands instruct the AI to fetch and execute arbitrary shell scripts from opencode.ai and app.factory.ai. Neither of these domains are listed as trusted sources in the analysis protocol. Executing unverified code from untrusted external sources is a critical security vulnerability, as it allows for arbitrary code execution, which could lead to data exfiltration, privilege escalation, persistence, or complete system compromise without the user's knowledge or consent.

  2. Unverifiable Dependencies (MEDIUM):

    • SKILL.md, line 100: warpdotdev/warp-agent-action@v1
    • create-environment.md, line 80: brew install --cask docker
    • create-environment.md, line 100: warpdotdev/dev-base:latest (and other warpdotdev Docker images) The warpdotdev GitHub organization, while seemingly the vendor's own, is not explicitly listed in the provided trusted sources. Therefore, dependencies like the GitHub Action and Docker images from this source are technically unverifiable according to the strict protocol. Similarly, brew install is an external dependency. These are flagged as MEDIUM because they are external, but less severe than the direct curl | bash from completely unknown domains.

  3. Potential for Data Exfiltration (LOW/INFO):

    • SKILL.md, line 50: oz secret create JIRA_API_KEY --team --value-file jira_key.txt
    • references/third-party-clis.md, line 60: oz secret create ANTHROPIC_API_KEY --team --value-file key.txt (and similar for other API keys) These commands read local files (e.g., jira_key.txt, key.txt) to create secrets within the Oz system. While this involves accessing local files, the explicit purpose is to securely store secrets for the agent's use, not to exfiltrate them to an untrusted destination. This is an intended and legitimate function, but any local file interaction, especially with potentially sensitive data, is noted.

  4. Indirect Prompt Injection Risk (INFO): The skill's core functionality involves running cloud agents with user-defined prompts and integrating with third-party CLIs that also take prompts. This means that the agents themselves and the third-party CLIs are inherently susceptible to prompt injection if they process untrusted or malicious input. The skill's instructions do not contain malicious prompts, but they enable a workflow where this risk exists for the downstream components.

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 12, 2026, 06:19 PM