cesto-toolkit
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/start_login.pyusessubprocess.Popento open the system's default web browser for authentication. On Windows, this is implemented usingshell=True. While the URL is constructed from a hardcoded base and a session ID from the vendor's API, the use of the shell for command execution is noted as a standard but sensitive operation. - [EXTERNAL_DOWNLOADS]: The skill fetches platform data, such as basket details and market analytics, from the vendor's official backend at
https://backend.cesto.co. These operations are limited to the vendor's infrastructure and are used solely to present data to the user. - [SAFE]: The skill implements several robust security practices:
- Session Isolation: Sensitive authentication tokens are stored in an encoded format in
~/.cesto/session.datand are managed by helper scripts. This ensures the AI model never handles raw secrets, preventing credential leakage in conversation logs. - Indirect Prompt Injection Defenses: The
SKILL.mdfile contains explicit security instructions directing the agent to treat API content as untrusted user-generated data. It specifically forbids the agent from following URLs or executing instructions found within basket descriptions. - URL Allowlisting: The
scripts/api_request.pyutility enforces a strict allowlist of origins, ensuring that authentication headers are only sent to the vendor's authorized domains.
Audit Metadata