mise
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill teaches the agent to process and execute configuration from
mise.tomland script files inmise-tasks/. These files are often part of the repositories an agent might be asked to analyze or manage. - Ingestion points: Project configuration files (
mise.toml,mise.<env>.toml) and script files in./mise-tasks/or./.mise/tasks/. - Boundary markers: Absent. The instructions do not include steps to verify the safety of these configuration files before execution.
- Capability inventory: Includes arbitrary command execution (
mise run,mise x), environment variable manipulation (mise set), and binary installation (mise install). - Sanitization: None. The skill assumes the configuration and task scripts are trustworthy.
- Remote Code Execution (HIGH): The skill provides instructions for downloading and installing tools from various backends (npm, cargo, asdf, pipx) via
mise install. If an agent is prompted to install a tool based on untrusted input, it could lead to the execution of malicious binaries or scripts. - Persistence Mechanisms (MEDIUM): The skill encourages the use of
eval "$(mise activate [shell])"and suggests adding it to shell profiles (e.g.,~/.zshrc,~/.bashrc). This behavior is used to maintain the tool's environment across sessions, which is a common persistence technique for development tools but should be monitored in an AI context.
Recommendations
- AI detected serious security threats
Audit Metadata