Skills
skills/getpagr/skills/pagr/Gen Agent Trust Hub

pagr

Fail

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The SKILL.md file contains a hardcoded API key (pagr_tW2NdRvtqZq2CIb0oJ137rfh75ystZoeoOQiSd7aMDc) within a URL provided for the Remote MCP Server configuration. Hardcoding credentials in skill instructions is a security risk as it exposes the key to any user or agent that processes the skill.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install and use external Node.js packages from the npm registry, specifically @getpagr/cli and @getpagr/mcp (via npx).
  • [COMMAND_EXECUTION]: The skill relies on the execution of shell commands through the pagr CLI tool. This includes the pagr init command, which modifies the local file system by creating skill files and editing the agent's configuration (e.g., .claude/settings.json) to register a Model Context Protocol (MCP) server.
  • [DATA_EXFILTRATION]: The core functionality of the skill involves reading local HTML files and uploading their content to the external Pagr service (https://pagr.link). This represents an intentional data transfer to a remote endpoint.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 20, 2026, 12:35 PM
Security Audit — agent-trust-hub — pagr