self
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions direct the agent to read
~/.mi/config.json, which is explicitly documented as the storage location for theOPENAI_API_KEYand other sensitive environment variables. - [COMMAND_EXECUTION]: The skill provides procedures and code examples for the agent to write new JavaScript files to its tool directory and execute them using the
spawnglobal function to run shell processes. - [REMOTE_CODE_EXECUTION]: The "Writing new tools" section enables the agent to generate and hot-load arbitrary JavaScript modules at runtime, providing a mechanism for executing generated code that can interact with the host system.
- [PROMPT_INJECTION]: The skill describes an architecture vulnerable to indirect prompt injection.
- Ingestion points: Untrusted data is ingested from
AGENTS.mdfiles in the repository root or current directory. - Boundary markers: No delimiters or instructions to ignore embedded commands are present when reading these files.
- Capability inventory: The agent possesses high-privilege capabilities including reading credentials, writing files, and executing shell commands.
- Sanitization: External content from repository files is treated as ground truth without validation or escaping before being processed.
Audit Metadata