acpx
Fail
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
--agentparameter is described as an "escape hatch" and allows the execution of arbitrary shell commands. This capability can be exploited to run malicious binaries or scripts on the host system beyond the intended scope of agent communication. - [EXTERNAL_DOWNLOADS]: The skill relies on multiple external npm packages (e.g.,
pi-acp,opencode-ai,@kilocode/cli,@zed-industries/codex-acp) which are fetched from public registries. These third-party sources are not verified and represent a supply chain risk. - [REMOTE_CODE_EXECUTION]: The documentation explicitly encourages the use of
npxandnpx -yfor package execution. This pattern facilitates the dynamic download and execution of remote code at runtime without verifying the integrity of the packages. - [PROMPT_INJECTION]: The skill is designed to ingest and process prompts for agent orchestration, which constitutes an attack surface for indirect prompt injection. This risk is exacerbated by the
--approve-allflag which bypasses human-in-the-loop permission checks. - Ingestion points: Commands such as
acpx <agent> '<prompt>'and the queueing mechanism ingest external text. - Boundary markers: The skill does not implement delimiters or safety instructions to separate system logic from processed prompts.
- Capability inventory: The tool has shell execution capabilities via the
--agentflag and local file system access for session management. - Sanitization: No sanitization or validation of the input prompts is documented.
Recommendations
- AI detected serious security threats
Audit Metadata