Skills
skills/kweaver-ai/kweaver-sdk/kweaver-core/Gen Agent Trust Hub

kweaver-core

Warn

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill grants the agent full access to the KWeaver CLI via Bash. This allows for extensive manipulation of platform resources, including the ability to delete or modify agents, knowledge networks, and system configurations.
  • [DATA_EXFILTRATION]: The kweaver call (and alias kweaver curl) tool allows for arbitrary HTTP requests to any URL. The CLI is designed to automatically inject the user's active session token into these requests, which could be exploited to exfiltrate sensitive data or credentials to an external server if the agent is compromised.
  • [REMOTE_CODE_EXECUTION]: The kweaver skill install and kweaver skill register commands facilitate the downloading, extraction, and installation of remote skill packages from a marketplace. Furthermore, the model small add command allows for the registration of Python adapter code, which is then executed on the platform.
  • [CREDENTIALS_UNSAFE]: The skill exposes the kweaver auth export command, which is explicitly designed to output active authentication credentials (refresh tokens) to the terminal or a file.
  • [PROMPT_INJECTION]: The skill features a significant attack surface for indirect prompt injection as it processes untrusted data from multiple sources, such as external dataflow logs, agent traces, and database query results.
  • Ingestion points: Data enters the agent's context through dataflow logs, agent trace (which includes LLM reasoning), skill content, and results from vega or bkn queries.
  • Boundary markers: There is a lack of specified boundary markers or sanitization requirements for the various data ingestion points in the provided instructions.
  • Capability inventory: The agent has access to powerful capabilities including full CLI execution (Bash), remote installation of packages (skill install), and arbitrary network requests (call).
  • Sanitization: While the instructions mention simple parsing for specific log formats, there is no comprehensive sanitization of external text before it is used to influence the agent's behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 14, 2026, 06:35 PM