ngrok-preview
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (MEDIUM): The skill's primary function is to create public internet tunnels to local filesystem artifacts using ngrok. This creates a significant attack surface where local content is made accessible over the public internet. While the instructions advise scoping to specific artifacts, a misconfiguration or malicious intent could lead to the exposure of sensitive files like SSH keys, credentials, or environment files.
- [Command Execution] (MEDIUM): The skill executes a local Python script
scripts/ngrok_preview.pyand potentially thengrokbinary via subprocess. The arguments for these commands, specifically the--sourcefile paths and--title, are derived from task context which may be influenced by external or untrusted data. - [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill requires the
ngrokbinary, directing users to download it from an external site (ngrok.com). While ngrok is a well-known service, it is not within the defined list of Trusted External Sources, and the skill relies on this external executable to function. - [Indirect Prompt Injection] (LOW): The skill is vulnerable to surface-level indirect injection if an attacker can influence the file paths passed to the
--sourceargument. - Ingestion points: The
--sourceargument inscripts/ngrok_preview.pyaccepts arbitrary file paths. - Boundary markers: None implemented in the command structure; reliance is placed on the agent's adherence to natural language instructions to "Collect only task artifacts".
- Capability inventory: The skill uses
ngrokto provide network access to local files and executes shell commands viapython3scripts. - Sanitization: There is no evidence of path sanitization or validation to prevent the inclusion of sensitive system files outside the intended task scope.
Audit Metadata