korean-cinema-search

Fail

Audited by Gen Agent Trust Hub on May 25, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download the 'daiso' package from the NPM registry and clone the 'daiso-mcp' repository from GitHub. These resources are maintained by a third-party account ('hmmhmmhm') that is not recognized as a trusted organization or well-known vendor.
  • [REMOTE_CODE_EXECUTION]: The skill utilizes the npx --yes daiso command, which automatically downloads and executes the latest version of an external CLI tool without user confirmation. The fallback workflow also requires cloning a third-party repository and running npm install, which can execute arbitrary lifecycle scripts, followed by node to run the resulting build.
  • [COMMAND_EXECUTION]: The skill's primary functionality relies on executing a wide range of shell commands (npx, npm install, git clone, node). This creates an expansive attack surface where unverified external code is given direct execution capabilities on the user's environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes and summarizes data retrieved from external movie APIs via CLI output, introducing a potential path for instruction injection if the external source is compromised.
  • Ingestion points: Data enters the context through the output of shell commands like daiso get /api/cgv/theaters (SKILL.md, line 48).
  • Boundary markers: Absent. The agent is not instructed to treat the CLI output as untrusted or to use delimiters to prevent instruction leakage.
  • Capability inventory: The agent has access to subprocess execution and network operations via the included shell commands.
  • Sanitization: There is no evidence of validation or filtering for the data returned by the third-party cinema APIs.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 25, 2026, 06:09 AM