agentation

Fail

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Automated security scans identified a high-risk pattern in the platform integration hooks described in SKILL.md. The instructions for Claude Code and Gemini CLI suggest a command that pipes the output of a curl request to localhost:4747 directly into the python3 interpreter. Executing network-retrieved content via a shell pipe to a language interpreter is an identified execution risk.
  • [COMMAND_EXECUTION]: The scripts/setup-agentation-mcp.sh script performs automated discovery and modification of several AI agent configuration files. It writes MCP server registration details into ~/.claude/claude_desktop_config.json, ~/.codex/config.toml, ~/.gemini/settings.json, and ~/.config/opencode/opencode.json to ensure the tool's persistence and integration.
  • [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting UI annotations from external browser sessions.
  • Ingestion points: Data enters the agent context through the localhost:4747/pending endpoint and the agentation_watch_annotations tool.
  • Boundary markers: While the hook output uses delimiters like === AGENTATION ===, these do not provide protection against malicious instructions embedded in the annotation content.
  • Capability inventory: The agent is equipped with Write, Bash, and Grep tools and is explicitly instructed to modify the codebase based on the received annotations.
  • Sanitization: No validation or sanitization is performed on user-provided comments or element selectors before they are interpolated into agent instructions.
  • [EXTERNAL_DOWNLOADS]: The skill documentation relies on several external resources and tools, including the agentation and agentation-mcp packages and the add-mcp utility. It also makes runtime network calls to a local server to fetch pending tasks.
  • [DATA_EXFILTRATION]: The React component includes a webhookUrl property and supports an AGENTATION_WEBHOOK_URL environment variable. This allows the tool to transmit application metadata, including CSS selectors, bounding boxes, and React component trees, to an arbitrary external endpoint.
Recommendations
  • HIGH: Downloads and executes remote code from: http://localhost:4747/pending - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 30, 2026, 11:14 PM
Security Audit — agent-trust-hub — agentation