when-bridging-web-cli-use-web-cli-teleport
Fail
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates a server script (
server.js) designed specifically to execute shell commands received over the network. - Evidence: In
SKILL.md, the/api/cli/executePOST endpoint constructs a command string from the request body:const fullCommand = \${command} ${args.join(' ')}`;and passes it to theexec()` function. - [REMOTE_CODE_EXECUTION]: The bridge server implementation provides a functional path for remote code execution (RCE).
- Evidence: The code in
server.jsexposes the system's shell via an unauthenticated HTTP API on port 3001. There is no sanitization of thecommandorargsvariables, allowing for shell metacharacter injection and arbitrary command execution. - [EXTERNAL_DOWNLOADS]: The skill requires downloading and running external packages and tools from remote registries.
- Evidence: The instructions in
README.md,SKILL.md, andPROCESS.mdutilizenpx claude-flow@alphafor architecture design and component generation, and performnpm installfor various dependencies likeexpressandsocket.io. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection and command injection through untrusted data processing.
- Ingestion points: The
req.bodyof the Express server inserver.jsand thedataparameter in therender_web_uifunction incli-tool-with-web.sh. - Boundary markers: None present. The inputs are directly interpolated into commands or emitted via WebSockets.
- Capability inventory:
child_process.execinserver.jsallows full system command execution. - Sanitization: Absent. The server implementation lacks any logic to escape or validate the incoming command strings.
Recommendations
- AI detected serious security threats
Audit Metadata