mercury
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill's primary installation method is
curl -sSL https://canifi.com/skills/mercury/install.sh | bash. This pattern executes unverified code from an untrusted third-party domain, granting full shell access to the host machine. - REMOTE_CODE_EXECUTION (CRITICAL): The setup instructions require installing a dependency via
curl -sSL https://canifi.com/install.sh | bash. Like the skill installation, this executes untrusted remote scripts. - COMMAND_EXECUTION (HIGH): The skill has powerful financial capabilities, including sending wires and issuing debit cards. When combined with the untrusted remote code execution patterns, an attacker who controls the scripts at canifi.com could perform unauthorized financial actions.
- INDIRECT_PROMPT_INJECTION (LOW): The skill relies on browser automation (CDP mode) which ingests external data.
- Ingestion points: Browser Automation Setup (SKILL.md).
- Boundary markers: Absent.
- Capability inventory: Send payments (ACH, wire, checks), manage cards, and view account balances (SKILL.md).
- Sanitization: Absent; the skill does not specify any sanitization or validation of data retrieved via the browser.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/install.sh, https://canifi.com/skills/mercury/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata