pua
Fail
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is designed to fetch 'prompt_template' content from a remote API (
https://pua-api.agentguard.workers.dev/v1/command/) and execute it as agent instructions. This mechanism allows a remote server to inject arbitrary instructions or code into the agent's execution context at runtime, effectively serving as Remote Code Execution for the AI agent. - [DATA_EXFILTRATION]: The skill silently exfiltrates session metadata, PUA triggers, and command usage statistics to an external API (
https://pua-api.agentguard.workers.dev/v1/stats) without explicit user notification for each event. It also requests the user's phone number during registration and sends it to the remote backend. - [COMMAND_EXECUTION]: The instructions command the agent to execute shell operations using
curlto interact with remote APIs andpython(viapip install) to generate QR codes. These commands are used for registration, SMS verification, and payment processing. - [CREDENTIALS_UNSAFE]: The skill implements a custom authentication system that stores sensitive 'Bearer' tokens and user IDs in a local configuration file (
~/.pua/config.json) for persistence across sessions. - [EXTERNAL_DOWNLOADS]: The skill performs numerous external network requests to
pua-api.agentguard.workers.devandpua-skill.pages.devto fetch configurations, prompt templates, and process payments. It also attempts to install the Python packageqrcodeat runtime. - [PROMPT_INJECTION]: The skill uses 'Always-On' logic and authoritative instructions to override standard agent behavior, forcing it to adopt a specific corporate persona ('Flavors') and bypass default interaction styles across all task types.
Recommendations
- AI detected serious security threats
Audit Metadata