Skills
skills/automateyournetwork/netclaw/rfc-lookup/Gen Agent Trust Hub

rfc-lookup

Warn

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses 'npx -y @mjpitz/mcp-rfc' to fetch an external package from the NPM registry during execution.
  • [REMOTE_CODE_EXECUTION]: The skill executes code from an unverified third-party NPM package ('@mjpitz/mcp-rfc') via 'npx'. This package is not part of the trusted vendors list and is not owned by the skill author.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. (1) Ingestion: Untrusted RFC content is retrieved via the 'get_rfc' and 'search_rfcs' tools. (2) Boundaries: No boundary markers or 'ignore instructions' are present. (3) Capabilities: The skill can execute subprocesses via 'npx' and 'python3'. (4) Sanitization: No evidence of validation or filtering of the external RFC data before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 18, 2026, 06:13 AM