securityclaw-autonomous-soc-agent
Fail
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The installation instructions fetch the official setup script from Ollama's domain and clone the agent's main codebase from its GitHub repository.
- [REMOTE_CODE_EXECUTION]: The skill instructs the user to execute the Ollama installation script by piping it directly to the shell (curl | sh). This is a known distribution method for the Ollama service.
- [COMMAND_EXECUTION]: The framework is designed to execute Python-based 'skills' from local directories and perform database operations against OpenSearch/Elasticsearch clusters. It also supports manual dispatch of these skills via a CLI entry point.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of analyzing external security logs.
- Ingestion points: The
logic.pyandthreat_analystcomponents ingest raw network events and logs from OpenSearch/Elasticsearch indices. - Boundary markers: No explicit delimiters or XML tags are used in the prompt templates (e.g., in
skills/my_skill/logic.py) to separate untrusted log data from the instructions. - Capability inventory: The agent can perform network requests to threat intelligence APIs (AbuseIPDB), execute database queries, and modify its internal memory/state.
- Sanitization: There is no evidence of sanitization or escaping of the log data hits before they are interpolated into the LLM context strings.
Recommendations
- HIGH: Downloads and executes remote code from: https://ollama.com/install.sh - DO NOT USE without thorough review
Audit Metadata