Skills
skills/yonatangross/orchestkit/ollama-local/Gen Agent Trust Hub

ollama-local

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [Remote Code Execution] (CRITICAL): In SKILL.md, the skill directs the user or agent to execute curl -fsSL https://ollama.ai/install.sh | sh. This is a piped-to-shell pattern that executes unverified remote code. The domain ollama.ai is not on the trusted external sources list, making this a critical vulnerability.
  • [Indirect Prompt Injection] (HIGH): The skill demonstrates a high-risk capability tier in SKILL.md. It provides patterns for the agent to ingest untrusted data (e.g., Analyze this code: ...) and bind the LLM to tools (llm.bind_tools([search_docs])). This creates an attack surface where malicious instructions inside processed data could trigger unauthorized tool actions.
  • Ingestion points: structured_llm.ainvoke in SKILL.md.
  • Boundary markers: None. Untrusted strings are interpolated directly into prompts.
  • Capability inventory: The skill explicitly demonstrates tool-calling capabilities and local shell command execution.
  • Sanitization: None. Input is passed directly to the model.
  • [Command Execution] (MEDIUM): The skill relies on executing multiple local CLI commands (ollama pull, ollama serve, ollama ps) via the agent's environment, which increases the potential impact of any successful prompt injection.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://ollama.ai/install.sh - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 15, 2026, 10:04 PM