autocli
Fail
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill contains instructions for the AI agent to install a binary by downloading a shell script from a remote URL (https://raw.githubusercontent.com/nashsu/AutoCLI/main/scripts/install.sh) and piping it directly to the system shell (sh). This method bypasses integrity checks and allows for arbitrary code execution on the user's machine.
- [COMMAND_EXECUTION]: The skill allows the agent to execute the autocli command with user-supplied arguments. This tool can also act as a wrapper for other powerful system CLIs like gh, docker, and kubectl, potentially allowing the agent to perform unauthorized actions in the user's development or cloud environments. Additionally, the 'self-iteration' capability allows the agent to generate and execute its own JavaScript-based scraping logic.
- [DATA_EXFILTRATION]: The skill is designed to interact with 55+ web platforms by reusing the user's existing Chrome browser sessions and cookies. This provides the agent with access to sensitive personal data and accounts. Without strict controls, this capability could be abused to exfiltrate private messages, session tokens, or other protected information from the browser.
- [EXTERNAL_DOWNLOADS]: The skill instructions direct the user to download and install a third-party Chrome extension from a GitHub release page. This introduces a supply chain risk, as the extension is required for the tool's core browser-interaction functionality and could be a vector for malicious behavior.
- [PROMPT_INJECTION]: The skill processes content fetched from untrusted third-party websites. This exposes the agent to indirect prompt injection attacks where malicious data from a website could override the agent's instructions. * Ingestion points: Data from 55+ sites (Twitter, Reddit, YouTube, etc.) fetched in real-time. * Boundary markers: The SKILL.md lacks explicit markers or safety instructions for handling fetched web content. * Capability inventory: High-risk capabilities including command execution and browser session access. * Sanitization: No sanitization of the fetched content is specified before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nashsu/AutoCLI/main/scripts/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata