ros-robotics
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's documentation and installation guides recommend piping remote scripts directly into the shell (curl -fsSL ... | bash) or PowerShell (irm ... | iex). This is a high-risk practice that allows execution of unverified code from a remote repository. Evidence: Found in README.md, README.en.md, and docs/INSTALL.md targeting scripts in the author's GitHub repository.
- [DYNAMIC_EXECUTION]: The script 'scripts/check_tf_tree.py' uses the subprocess module to execute the external 'xacro' command on user-supplied file paths. Running CLI tools on untrusted inputs represents a potential command execution risk if the environment is not strictly controlled.
- [DATA_EXPOSURE_AND_EXFILTRATION]: Multiple scripts including 'detect_ros_workspace.py', 'check_ros_workspace_consistency.py', and 'check_tf_tree.py' use the standard 'xml.etree.ElementTree' library to parse XML and URDF files from the target workspace. This library is vulnerable to XML External Entity (XXE) attacks, which could allow a malicious workspace to read sensitive local files.
- [INDIRECT_PROMPT_INJECTION]: The skill performs automated analysis of untrusted files (package.xml, CMakeLists.txt, URDF) within a user's workspace without employing boundary markers or sanitization. 1. Ingestion points: Diagnostic scripts reading workspace files. 2. Boundary markers: Absent. 3. Capability inventory: Subprocess execution, file system access, and remote downloads. 4. Sanitization: None (uses insecure XML parsing and direct text reads).
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/wzyn20051216/ros-robotics-skill/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata