zread
Warn
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages sensitive configuration files containing API keys. Specifically, the
zread config --stdiointerface returns the plaintextllm_api_keyin its ViewModel output, exposing stored credentials to any agent or log system processing the tool's machine-readable output. - [EXTERNAL_DOWNLOADS]: The skill documents the installation and update of external binaries from remote sources via
npmand the tool's ownupdatecommand. - [REMOTE_CODE_EXECUTION]: Through the
zread updatecommand, the tool can replace its own executable binary with content downloaded from a remote URL at runtime, representing a potential execution vector. - [COMMAND_EXECUTION]: The skill allows the agent to execute multiple CLI commands, including repository crawling (
generate), local web serving (browse), and configuration management (config), which involve file system writes and local server hosting. - [DATA_EXFILTRATION]: The core functionality involves sending the local codebase contents to an external LLM provider, which constitutes an inherent data transfer of potentially sensitive intellectual property.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing unvalidated repository content (code and comments) through an LLM to generate wikis.
- Ingestion points: Reads all files within the current repository workspace during the generation phase.
- Boundary markers: No delimiters or safety instructions are specified in the protocol to separate code content from instructions for the LLM.
- Capability inventory: Local file system writes, local server hosting, and self-updating binary capabilities.
- Sanitization: No sanitization or filtering of the ingested source code is mentioned in the protocol before it is transmitted to the LLM.
Audit Metadata