updatefirstmate
Warn
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell scripts
bin/fm-update.shandbin/fm-send.shto perform system updates and send notifications. - [REMOTE_CODE_EXECUTION]: The skill performs a Git fast-forward from a remote source (
origin). This process downloads and applies updates to the agent's executable scripts (bin/) and logic, effectively allowing remote code to modify the agent's runtime environment. - [PROMPT_INJECTION]: This skill exhibits an indirect prompt injection surface by instructing the agent to re-read
AGENTS.md(and the symlinkedCLAUDE.md) immediately after pulling remote changes. This allows the remote Git repository to override or alter the agent's core operating instructions. - Ingestion points: Remote Git repository (
origin) data is merged into local files, specificallyAGENTS.md. - Boundary markers: None identified; the agent is instructed to read the file directly to "refresh your operating instructions."
- Capability inventory: The skill utilizes
bin/fm-update.sh(shell script execution) andbin/fm-send.sh(inter-process communication/messaging). - Sanitization: The skill relies on Git's "fast-forward only" logic to prevent disruptive merges, but it does not validate the content of the instructions being pulled.
- [DYNAMIC_EXECUTION]: The skill facilitates self-modifying behavior by updating and then reloading its own instruction set (
AGENTS.md) and binaries at runtime.
Audit Metadata