agent-contacts
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute 'claude mcp add' using an 'mcp_url' retrieved from a remote JSON file. Because this value is not sanitized before being passed to the shell, an attacker can include shell metacharacters (e.g., ';', '&', '|') in the remote JSON to achieve arbitrary command execution on the host machine.\n- [REMOTE_CODE_EXECUTION]: The skill implements a dangerous multi-step execution pattern where it first downloads a remote payload using WebFetch and then uses the contents of that payload to configure the system via Bash. This establishes an unvalidated trust chain between external, untrusted data and system-level execution.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting and storing untrusted metadata. 1. Ingestion points: Remote 'name' and 'description' fields are fetched via WebFetch from a user-provided URL in SKILL.md. 2. Boundary markers: No delimiters or instructions are used to isolate the fetched strings. 3. Capability inventory: The skill has access to Bash for system configuration and Write for local file modification. 4. Sanitization: No escaping or validation is performed on the remote strings before they are persisted to the local contacts database or displayed to the user.\n- [EXTERNAL_DOWNLOADS]: The skill fetches configuration files from arbitrary external URLs provided by the user. While this is part of the intended functionality, the lack of source validation or content integrity checks makes it a primary vector for the identified injection attacks.
Recommendations
- AI detected serious security threats
Audit Metadata