claude-code-local-mlx
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the Homebrew installation script from the official Homebrew repository. Homebrew is a well-known service for macOS package management.
- [EXTERNAL_DOWNLOADS]: Clones external repositories from GitHub, including the main project repository and the ds4 engine repository by a well-known developer.
- [COMMAND_EXECUTION]: Executes several local bash and Python scripts provided within the cloned repository, such as
start-mlx-server.sh,monitor.py, andbrowser-agent-server.py. - [COMMAND_EXECUTION]: Utilizes
sudo powermetricsto gather hardware performance data, which requires elevated administrative privileges. - [PROMPT_INJECTION]: Presents a surface for indirect prompt injection (Category 8) by instructing the agent to ingest and analyze untrusted external data like NDA documents and large codebases.
- Ingestion points: Functions such as
analyze_ndaandanalyze_codebaseinSKILL.mdread file content directly from the local file system. - Boundary markers: Absent; the skill lacks delimiters or instructions to ignore embedded commands within the processed files.
- Capability inventory: The skill environment includes file system access, network server capabilities, and hardware monitoring tools.
- Sanitization: No sanitization, escaping, or validation of the ingested file content is performed before it is interpolated into the agent's prompts.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh - DO NOT USE without thorough review
Audit Metadata