bitbucket
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The installation instructions command the user to pipe a remote script from an untrusted domain directly into bash (
curl -sSL https://canifi.com/skills/bitbucket/install.sh | bash). This allows the remote server to execute arbitrary commands on the host machine without verification. - EXTERNAL_DOWNLOADS (HIGH): The skill references multiple external scripts from
canifi.com, which is not a verified or trusted source. This includes the main skill installer and thecanifi-envconfiguration utility. - COMMAND_EXECUTION (HIGH): The skill relies on the execution of local shell commands for environment configuration and tool operations, providing a pathway for privilege escalation if the downloaded scripts are malicious.
- PROMPT_INJECTION (LOW): The skill possesses a significant attack surface for indirect prompt injection. It ingests data from Bitbucket (Pull Requests, issues, commit messages, and pipelines). An attacker could place malicious instructions in a repository's metadata or comments that the AI agent might follow when summarizing activity.
- Ingestion points:
bitbucket.orgvia Playwright MCP (PRs, Issues, Pipelines, Activity feeds). - Boundary markers: Absent. The skill does not define specific delimiters for external content.
- Capability inventory: Shell command execution (via
canifi-env), browser automation via Playwright, and file system access to the.canifidirectory. - Sanitization: Absent. No evidence of content filtering or safety instructions regarding external repository data.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/skills/bitbucket/install.sh, https://canifi.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata