agentation
Fail
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Automated security scans identified a high-risk pattern in the platform integration hooks described in SKILL.md. The instructions for Claude Code and Gemini CLI suggest a command that pipes the output of a
curlrequest tolocalhost:4747directly into thepython3interpreter. Executing network-retrieved content via a shell pipe to a language interpreter is an identified execution risk. - [COMMAND_EXECUTION]: The
scripts/setup-agentation-mcp.shscript performs automated discovery and modification of several AI agent configuration files. It writes MCP server registration details into~/.claude/claude_desktop_config.json,~/.codex/config.toml,~/.gemini/settings.json, and~/.config/opencode/opencode.jsonto ensure the tool's persistence and integration. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting UI annotations from external browser sessions.
- Ingestion points: Data enters the agent context through the
localhost:4747/pendingendpoint and theagentation_watch_annotationstool. - Boundary markers: While the hook output uses delimiters like
=== AGENTATION ===, these do not provide protection against malicious instructions embedded in the annotation content. - Capability inventory: The agent is equipped with
Write,Bash, andGreptools and is explicitly instructed to modify the codebase based on the received annotations. - Sanitization: No validation or sanitization is performed on user-provided comments or element selectors before they are interpolated into agent instructions.
- [EXTERNAL_DOWNLOADS]: The skill documentation relies on several external resources and tools, including the
agentationandagentation-mcppackages and theadd-mcputility. It also makes runtime network calls to a local server to fetch pending tasks. - [DATA_EXFILTRATION]: The React component includes a
webhookUrlproperty and supports anAGENTATION_WEBHOOK_URLenvironment variable. This allows the tool to transmit application metadata, including CSS selectors, bounding boxes, and React component trees, to an arbitrary external endpoint.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:4747/pending - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata