ai-pro
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill repeatedly promotes the use of
bun x repomix(inSKILL.mdandreferences/architect-archive.md). This command downloads and executes therepomixpackage from a remote registry at runtime without version pinning, which is equivalent to unverified remote code execution. - [DATA_EXFILTRATION] (MEDIUM): The core 'Context Packing' strategy involves aggregating large segments of a codebase into a single file for ingestion by an external LLM. This practice encourages the bulk transfer of potentially proprietary source code to non-whitelisted third-party providers like OpenRouter.
- [COMMAND_EXECUTION] (LOW): The skill provides examples of commands like
git grepandrgfor searching sensitive strings (e.g.,SECRET,PASSWORD). While standard for developers, an autonomous agent using these tools could be manipulated into exposing credentials stored in the repository. - [REMOTE_CODE_EXECUTION] (HIGH): The script
scripts/generate_image.pypresents an Indirect Prompt Injection surface. If an agent populates thepromptor processes aninput_imagefrom untrusted sources, it could be coerced into performing unintended actions through the model interface. - Ingestion points:
promptargument and--inputfile path inscripts/generate_image.py. - Boundary markers: Absent; there are no delimiters or instructions to isolate the user-provided prompt from the agent's instructions.
- Capability inventory: The script performs network requests (via
requests.post) to an external API and writes data to the local filesystem (open(output_path, 'wb')). - Sanitization: Absent; input strings are passed directly to the external API without validation or escaping.
Recommendations
- AI detected serious security threats
Audit Metadata