skills/lobehub/lobe-chat/cli/Gen Agent Trust Hub

cli

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The documentation provides official guidance for developing and using the LobeHub CLI. The files are purely instructional and contain no executable code or malicious instructions.\n- [CREDENTIALS_UNSAFE]: The guide documents that encrypted tokens are stored in ~/.lobehub/credentials.json. This information is provided for architectural awareness and follows standard CLI configuration patterns.\n- [EXTERNAL_DOWNLOADS]: The lh skill install command is detailed as a feature for fetching skills from GitHub repositories or remote ZIP URLs to extend platform capabilities.\n- [COMMAND_EXECUTION]: The CLI architecture includes @lobechat/local-file-shell for shell command execution and file operations, which are documented features used for gateway connectivity.\n- [REMOTE_CODE_EXECUTION]: The skill installation mechanism allows for the ingestion of instructions and capabilities from remote sources, which is presented as a core feature of the agent ecosystem.\n- [PROMPT_INJECTION]: The documentation describes several data ingestion surfaces that present an indirect prompt injection risk:\n
  • Ingestion points: Content enters the agent context through lh doc parse (references/knowledge.md) and lh skill install (references/skills-plugins.md).\n
  • Boundary markers: The architectural guide does not specify the use of delimiters or explicit instructions to ignore embedded commands.\n
  • Capability inventory: The CLI tool possesses shell execution (apps/cli/src/tools/shell.ts) and file system access capabilities.\n
  • Sanitization: Input validation and sanitization procedures are not covered in the provided development references.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 08:33 PM
Security Audit — agent-trust-hub — cli