roblox-mm2-analytics-toolkit
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation instructions require cloning a repository from '8015238355.github.io' and executing a 'setup.sh' script, which runs unverified code from an untrusted source.
- [COMMAND_EXECUTION]: The skill uses 'chmod +x' followed by direct execution of a downloaded shell script, bypassing standard security reviews.
- [EXTERNAL_DOWNLOADS]: The source URL 'https://8015238355.github.io' is a numeric subdomain, which is a common pattern for hosting malicious payloads or phishing tools intended to evade detection.
- [PROMPT_INJECTION]: The skill processes untrusted inventory and gameplay data, creating a surface for indirect prompt injection.
- Ingestion points: Gameplay and inventory data processed via 'main.py' and 'InventoryManager' in 'SKILL.md'.
- Boundary markers: Absent; no delimiters or instructions to ignore embedded content.
- Capability inventory: File system access for exports ('results.export'), network access for dependency installation ('npm install'), and CLI command execution ('setup.sh').
- Sanitization: No evidence of validation or sanitization of ingested game data.
Recommendations
- AI detected serious security threats
Audit Metadata