Skills
skills/zpankz/mcp-skillset/tools-router/Gen Agent Trust Hub

tools-router

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill maps specific local paths for binaries (e.g., /opt/homebrew/bin/gemini, ~/.local/bin/codex, ~/.amp/bin/amp) to the agent's capabilities. This allows the agent to execute a wide array of local system tools and AI models with the permissions of the user running the agent.
  • [REMOTE_CODE_EXECUTION] (HIGH): The lootbox exec pattern is a dynamic execution sink that takes arbitrary string-based code (TypeScript) and executes it within a context that has access to sensitive tools. This represents a classic Remote Code Execution (RCE) vector if the strings passed to exec are influenced by untrusted external data.
  • [DATA_EXFILTRATION] (MEDIUM): The integration of the filesystem namespace alongside external network-enabled tools like perplexity and brave-search enables a data exfiltration path. An agent could be instructed to read sensitive files (like ~/.aws/credentials) and send the content as a search query or payload to an external provider.
  • [DATA_EXFILTRATION] (MEDIUM): The skill configuration relies on a local WebSocket server (ws://localhost:9742/ws). If this server does not implement strict authentication or origin checks, it could be vulnerable to cross-site attacks targeting the tool execution environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:30 PM