strix
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill performs piped remote code execution by downloading a shell script from
https://strix.ai/installand piping it directly tobash. This is implemented inscripts/install.shand described as the primary setup method inSKILL.md,SKILL.toon, andreferences/commands.md. - [EXTERNAL_DOWNLOADS]: The skill downloads binaries and scripts from
strix.aiand pulls container images from the GitHub Container Registry (ghcr.io/usestrix/strix-sandbox), a well-known service. - [COMMAND_EXECUTION]: The skill relies on the
Bashtool to execute operational scripts includingscripts/install.sh,scripts/run-scan.sh, andscripts/ci-scan.sh, which in turn manage thestrixCLI anddockerenvironment. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through its processing of untrusted targets and instruction files. 1. Ingestion points: Untrusted data enters via the
--target,--instruction, and--instruction-fileparameters inscripts/run-scan.shandscripts/ci-scan.sh. 2. Boundary markers: The skill does not implement delimiters or protective instructions to isolate potentially malicious embedded instructions in target codebases. 3. Capability inventory: The skill can execute shell commands, perform network operations, and access local files through thestrixCLI. 4. Sanitization: No input validation or sanitization is applied to arguments before they are passed to the shell for execution.
Recommendations
- HIGH: Downloads and executes remote code from: https://strix.ai/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata