updatefirstmate

Warn

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local shell scripts bin/fm-update.sh and bin/fm-send.sh to perform system updates and send notifications.
  • [REMOTE_CODE_EXECUTION]: The skill performs a Git fast-forward from a remote source (origin). This process downloads and applies updates to the agent's executable scripts (bin/) and logic, effectively allowing remote code to modify the agent's runtime environment.
  • [PROMPT_INJECTION]: This skill exhibits an indirect prompt injection surface by instructing the agent to re-read AGENTS.md (and the symlinked CLAUDE.md) immediately after pulling remote changes. This allows the remote Git repository to override or alter the agent's core operating instructions.
  • Ingestion points: Remote Git repository (origin) data is merged into local files, specifically AGENTS.md.
  • Boundary markers: None identified; the agent is instructed to read the file directly to "refresh your operating instructions."
  • Capability inventory: The skill utilizes bin/fm-update.sh (shell script execution) and bin/fm-send.sh (inter-process communication/messaging).
  • Sanitization: The skill relies on Git's "fast-forward only" logic to prevent disruptive merges, but it does not validate the content of the instructions being pulled.
  • [DYNAMIC_EXECUTION]: The skill facilitates self-modifying behavior by updating and then reloading its own instruction set (AGENTS.md) and binaries at runtime.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 24, 2026, 05:31 AM
Security Audit — agent-trust-hub — updatefirstmate