pex-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting and processing untrusted external content.
- Ingestion points: The
pex ingest-mdcommand reads local markdown files from a user-provided path into the system. - Boundary markers: No boundary markers or 'ignore' instructions are defined for the ingested data.
- Capability inventory: The skill can execute the
pexCLI, perform graph modifications (pex clear), and initiate LLM inference (phase6-infer). - Sanitization: There is no evidence of sanitization or safety filtering for content ingested from the markdown files before it is processed by the LLM.
- Command Execution (MEDIUM): The skill relies on the execution of a local binary/script
pex. While the source of the CLI is not specified, it is granted the ability to interact with the filesystem and external services like FalkorDB and Ollama. - Data Exposure (LOW): The
pex ingest-mdcommand allows for the reading of arbitrary directory paths. If exploited via a prompt injection or malicious input, this could be used to scan the local filesystem for sensitive data, though it is primarily designed for medical education data.
Recommendations
- AI detected serious security threats
Audit Metadata