xget
Fail
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a workflow that fetches live documentation from a remote source and instructs the agent to execute shell commands found within that content. This creates a direct path for executing remote instructions retrieved from an external repository.\n- [COMMAND_EXECUTION]: Instructions in SKILL.md mandate high autonomy by telling the agent to default to execution rather than instruction, directing it to perform shell commands and file edits directly on the host system.\n- [EXTERNAL_DOWNLOADS]: The script scripts/xget.mjs performs network requests to retrieve platform catalogs and markdown snippets from an external domain at runtime.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted markdown data from a remote URL and treating it as a primary source for agent behavior.\n
- Ingestion points: Remote content fetched by scripts/xget.mjs from gitcode.com.\n
- Boundary markers: None; the agent is instructed to apply the content directly to the user's environment.\n
- Capability inventory: Shell execution, file system modification, and network access.\n
- Sanitization: None; the raw markdown content is parsed and applied without validation.\n- [COMMAND_EXECUTION]: The skill includes explicit instructions for the agent to modify sensitive shell configuration files like .bashrc and .zshrc to persistently store environment variables.
Recommendations
- AI detected serious security threats
Audit Metadata