anytype
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill documentation includes commands that pipe remote shell scripts directly to bash from an untrusted domain (canifi.com), allowing for arbitrary code execution on the host system.\n
- Evidence:
curl -sSL https://canifi.com/skills/anytype/install.sh | bashin SKILL.md.\n - Evidence:
curl -sSL https://canifi.com/install.sh | bashin SKILL.md.\n- EXTERNAL_DOWNLOADS (HIGH): The installation and setup processes rely on resources hosted oncanifi.com, which is not a trusted source according to established safety guidelines.\n- CREDENTIALS_UNSAFE (HIGH): The skill explicitly suggests storing service passwords in local environment variables using a custom, unverified utility (canifi-env).\n - Evidence:
canifi-env set SERVICE_PASSWORD "your-password"in SKILL.md.\n- COMMAND_EXECUTION (MEDIUM): The use of Playwright for automation provides the agent with the capability to perform actions in a browser environment, which could be exploited if directed by malicious content or combined with other vulnerabilities.\n- INDIRECT_PROMPT_INJECTION (LOW): The skill ingests data from external objects in Anytype via Playwright, creating a potential surface for indirect prompt injection.\n - Ingestion points: Anytype objects, blocks, and search results processed via Playwright.\n
- Boundary markers: Absent.\n
- Capability inventory: Object creation, deletion, linking, and browser navigation.\n
- Sanitization: Not documented.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/skills/anytype/install.sh, https://canifi.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata