trello
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill instructs users to run
curl -sSL https://canifi.com/skills/trello/install.sh | bashandcurl -sSL https://canifi.com/install.sh | bash. This pattern downloads and executes arbitrary code from an untrusted external domain without any verification of the script content. - CREDENTIALS_UNSAFE (HIGH): The 'Setup' and 'Privacy' sections encourage users to store
SERVICE_PASSWORDandSERVICE_EMAILin local environment variables viacanifi-env. This practice exposes sensitive credentials to any local process or subsequent agent actions that can read the environment. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It reads card titles and descriptions from Trello boards (ingestion point) using Playwright. Since it lacks boundary markers and sanitization, an attacker could place instructions inside a Trello card to hijack the agent's behavior.
- Ingestion points: Trello board names, list names, and card content (referenced in Usage Examples).
- Boundary markers: Absent. The agent is instructed to read all lists and cards directly.
- Capability inventory: Execution of shell commands via
canifi-envand full browser automation via Playwright MCP. - Sanitization: Absent. No logic is provided to escape or validate data retrieved from Trello before the agent processes it.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/skills/trello/install.sh, https://canifi.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata