yanzi-extension-dev
Fail
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to extract the
agentApiTokenfrom a local configuration file at%LOCALAPPDATA%\OpenQuickHost\appsettings.local.jsonto authenticate with the local management API. - [REMOTE_CODE_EXECUTION]: The extension host allows for the dynamic compilation and execution of arbitrary C# and PowerShell code provided via manifest files (inline) or local script files. It also supports remote installation of extensions from an app store.
- [COMMAND_EXECUTION]: The documentation provides instructions for establishing persistence and performing high-privilege system operations, such as:
- Configuring extensions to launch automatically with the host application using the
startupmanifest parameter. - Implementing resident background services using Win32 API hooks (
RegisterHotKey,SetWindowsHookEx) to persist logic after initial execution. - Using PowerShell for system-wide automation, including registry modification and process management.
- [PROMPT_INJECTION]: The skill defines a significant attack surface for indirect prompt injection by ingesting untrusted data from multiple sources without sanitization:
- Ingestion points: Data retrieved from the system clipboard (
Get-Clipboard), external API responses (hitokoto.cn), and theInputTextvariable. - Boundary markers: No delimiters or safety instructions are used when processing external data.
- Capability inventory: The skill possesses full execution capabilities for C# and PowerShell, local file system access, and network request functionality.
- Sanitization: No validation, escaping, or filtering of ingested data is described.
- [DATA_EXFILTRATION]: The skill combines the ability to read sensitive local tokens and system data (e.g., clipboard, configuration files) with the capability to perform outbound HTTP requests, providing a clear path for data exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata