korean-cinema-search
Fail
Audited by Gen Agent Trust Hub on May 25, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download the 'daiso' package from the NPM registry and clone the 'daiso-mcp' repository from GitHub. These resources are maintained by a third-party account ('hmmhmmhm') that is not recognized as a trusted organization or well-known vendor.
- [REMOTE_CODE_EXECUTION]: The skill utilizes the
npx --yes daisocommand, which automatically downloads and executes the latest version of an external CLI tool without user confirmation. The fallback workflow also requires cloning a third-party repository and runningnpm install, which can execute arbitrary lifecycle scripts, followed bynodeto run the resulting build. - [COMMAND_EXECUTION]: The skill's primary functionality relies on executing a wide range of shell commands (
npx,npm install,git clone,node). This creates an expansive attack surface where unverified external code is given direct execution capabilities on the user's environment. - [INDIRECT_PROMPT_INJECTION]: The skill processes and summarizes data retrieved from external movie APIs via CLI output, introducing a potential path for instruction injection if the external source is compromised.
- Ingestion points: Data enters the context through the output of shell commands like
daiso get /api/cgv/theaters(SKILL.md, line 48). - Boundary markers: Absent. The agent is not instructed to treat the CLI output as untrusted or to use delimiters to prevent instruction leakage.
- Capability inventory: The agent has access to subprocess execution and network operations via the included shell commands.
- Sanitization: There is no evidence of validation or filtering for the data returned by the third-party cinema APIs.
Recommendations
- AI detected serious security threats
Audit Metadata