Skills
skills/netresearch/cli-tools-skill/cli-tools/Gen Agent Trust Hub

cli-tools

Fail

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/installers/package_manager.sh executes shell commands retrieved from the version_command field in catalog metadata JSON files using bash -c. Although it attempts to validate these commands against a whitelist, the whitelist includes powerful interpreters like python, python3, and ruby, enabling arbitrary code execution if the metadata is compromised.
  • [COMMAND_EXECUTION]: The skill implements a persistence mechanism in scripts/lib/path_check.sh and scripts/check_environment.sh by modifying user shell startup files (such as .bashrc, .zshrc, and .profile). It appends PATH exports, environment variable settings, and shell hooks using eval, ensuring that specified code runs automatically in every future shell session.
  • [COMMAND_EXECUTION]: Extensive use of sudo is found across multiple scripts, including scripts/auto_update.sh (for system package upgrades) and scripts/lib/common.sh (for package removal), granting the skill administrative control over the host system.
  • [EXTERNAL_DOWNLOADS]: Several installer scripts download and execute binaries or scripts from external sources, including GitHub (github.com), GitLab (gitlab.com), HashiCorp (releases.hashicorp.com), AWS, and Composer (getcomposer.org). While these are well-known developer services, the automated downloading and execution of remote binaries carries inherent security risks.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through project metadata files processed during auditing and tool recommendation workflows.
  • Ingestion points: Processes project manifest files such as package.json, Gemfile, and pyproject.toml in the working directory via scripts/detect_project_type.sh.
  • Boundary markers: None implemented for data processed in shell scripts.
  • Capability inventory: High-privilege access including sudo, remote binary execution, and the ability to modify shell RC files.
  • Sanitization: Validation logic is present in package_manager.sh but is bypassable due to the inclusion of code interpreters in the execution allowlist.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 22, 2026, 07:34 PM