crm-cli
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's installation instructions recommend pipe-to-shell execution:
curl -fsSL https://raw.githubusercontent.com/dzhng/crm.cli/main/install.sh | sh. This pattern executes unverified remote scripts with the privileges of the current user, providing a direct path for arbitrary code execution during setup. - [COMMAND_EXECUTION]: The skill supports a shell hooks feature (
[hooks]incrm.toml) that allows users to configure arbitrary scripts to run automatically on specific events, such aspost-contact-addorpre-deal-stage-change. This capability can be abused if an attacker can trigger these events via malicious data ingestion. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its core functionality of ingesting and displaying external data.
- Ingestion points: Data enters the system via
crm import(CSV/JSON) and manual entry throughcrm contact addorcrm deal addcommands. - Boundary markers: The skill definition provides no instructions or mechanisms for using delimiters or boundary markers to isolate potentially malicious embedded instructions in the CRM data.
- Capability inventory: The skill provides the agent with file system access (via
crm mount) and command execution capabilities (via CLI tools and hooks), which can be exploited if the agent obeys instructions found within the data. - Sanitization: There is no mention of sanitization, escaping, or validation of the input data before it is stored or presented to the agent.
- [EXTERNAL_DOWNLOADS]: The skill downloads a precompiled binary and mount dependencies (FUSE/Rust toolchain) from remote sources during the installation process.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/dzhng/crm.cli/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata