native-web-search
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script implements a configuration resolver that executes shell commands via
execSyncif a value (such as an API key or access token) starts with an exclamation mark (!). This allows for arbitrary code execution if the local configuration fileauth.jsonis modified or influenced by an attacker. - [COMMAND_EXECUTION]: The skill dynamically imports the
@mariozechner/pi-aimodule by searching through several computed local paths, including environment variables (PI_AI_MODULE_PATH), the current directory, and up to eight levels of parent directories. Dynamically resolving and executing code from paths determined at runtime is a significant security risk. - [CREDENTIALS_UNSAFE]: The script reads and writes sensitive authentication credentials, including API keys and OAuth tokens, to the user's home directory at
~/.pi/agent/auth.json. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates user-provided search queries and purpose statements directly into the system prompts sent to remote AI models without any sanitization or use of boundary markers.
- Ingestion points: Command-line arguments
queryandpurposeprocessed insearch.mjs. - Boundary markers: None identified; user input is directly concatenated into the prompt string.
- Capability inventory: The skill possesses capabilities for file system access (
fs), network requests (fetch), and shell command execution (execSync). - Sanitization: No validation, escaping, or filtering is performed on user input before prompt interpolation.
Audit Metadata