native-web-search

Warn

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script implements a configuration resolver that executes shell commands via execSync if a value (such as an API key or access token) starts with an exclamation mark (!). This allows for arbitrary code execution if the local configuration file auth.json is modified or influenced by an attacker.
  • [COMMAND_EXECUTION]: The skill dynamically imports the @mariozechner/pi-ai module by searching through several computed local paths, including environment variables (PI_AI_MODULE_PATH), the current directory, and up to eight levels of parent directories. Dynamically resolving and executing code from paths determined at runtime is a significant security risk.
  • [CREDENTIALS_UNSAFE]: The script reads and writes sensitive authentication credentials, including API keys and OAuth tokens, to the user's home directory at ~/.pi/agent/auth.json.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates user-provided search queries and purpose statements directly into the system prompts sent to remote AI models without any sanitization or use of boundary markers.
  • Ingestion points: Command-line arguments query and purpose processed in search.mjs.
  • Boundary markers: None identified; user input is directly concatenated into the prompt string.
  • Capability inventory: The skill possesses capabilities for file system access (fs), network requests (fetch), and shell command execution (execSync).
  • Sanitization: No validation, escaping, or filtering is performed on user input before prompt interpolation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 14, 2026, 10:15 AM
Security Audit — agent-trust-hub — native-web-search