tkm
Fail
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the user to install the
orbitCLI using a high-risk pattern:curl -sSfL https://raw.githubusercontent.com/jorgemuza/orbit/main/install.sh | sh. This executes a remote shell script directly with shell privileges. - [EXTERNAL_DOWNLOADS]: Dependencies and tools are fetched from non-whitelisted external sources, including a personal GitHub repository (
jorgemuza/orbit) and a custom Homebrew tap (jorgemuza/tap/orbit). - [COMMAND_EXECUTION]: The skill heavily relies on executing shell commands through the
orbitCLI to interact with local databases and session files. - [DATA_EXFILTRATION]: The skill includes functionality to push token usage data to a centralized analytics service called 'Draxarp' (
orbit -p paybook tracking tkm push), which involves sending data from the local environment to an external network endpoint. - [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8) as it ingests untrusted data from Claude Code session files (
~/.claude/projects/**/*.jsonl) and uses that data to perform calculations and shell-based operations. - Ingestion points: Reads JSONL files from the user's local
.claudedirectory (SKILL.md). - Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are present when processing session data.
- Capability inventory: Uses
orbitsubprocess calls for syncing, tracking, and pushing data. - Sanitization: No evidence of sanitization or validation of the session file content before processing.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/jorgemuza/orbit/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata