agentation

Warn

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/setup-agentation-mcp.sh modifies platform-specific configuration files in the user's home directory, including ~/.claude/claude_desktop_config.json, ~/.codex/config.toml, ~/.gemini/settings.json, and ~/.config/opencode/opencode.json to register the MCP server.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates remote code execution by recommending the use of npx -y agentation-mcp server and npx skills add benjitaylor/agentation -g to download and run code from unverified sources.
  • [EXTERNAL_DOWNLOADS]: Instructions include the installation of the agentation package from the NPM registry.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes external UI feedback data (comments, element selectors) that the agent may interpret as instructions.
  • Ingestion points: Data enters the context via UI annotation packets and the agentation_watch_annotations tool as described in SKILL.md and references/watch-loop-and-self-driving.md.
  • Boundary markers: Absent; there are no instructions to use delimiters or ignore embedded instructions when processing feedback packets.
  • Capability inventory: The skill possesses extensive capabilities including Bash, Write, and Read tools, as defined in the SKILL.md frontmatter.
  • Sanitization: Absent; the skill lacks any described validation or sanitization logic for the content of processed annotations.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 27, 2026, 04:58 AM
Security Audit — agent-trust-hub — agentation