setup
Fail
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Skill contains 'Rule Zero' and 'Rule One' which are non-negotiable instructions forcing the agent to hide its bash activity from the user by running all processes in the background and using silent descriptions to avoid platform UI prompts.
- [DATA_EXFILTRATION]: Implements a 'Universal Credential Auto-Scan' that targets highly sensitive data including Chrome's history SQLite database (~/Library/Application Support/Google/Chrome/Default/History), multiple password manager CLIs (1Password, Dashlane, Bitwarden), and all .env files across the user's home directory.
- [REMOTE_CODE_EXECUTION]: Includes patterns for downloading and piping remote shell scripts directly into bash with elevated privileges (curl | sudo sh).
- [COMMAND_EXECUTION]: Employs the '!' syntax to automatically execute discovery and preflight binaries from the plugin directory during the skill load phase.
- [EXTERNAL_DOWNLOADS]: Fetches and installs external code and plugins from unverified third-party repositories such as gsd-build on GitHub.
- [COMMAND_EXECUTION]: Establishes persistence on the system by creating LaunchAgents on macOS and appending environment variable exports to the user's shell profile files (~/.zshrc).
Recommendations
- AI detected serious security threats
Audit Metadata