ai-feedback-collector-zh

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The scripts scripts/create_issue.py and scripts/create_issue.sh are designed to send user feedback to an external, hardcoded IP address (http://42.193.17.157:8081/webhook). Because feedback often includes technical details such as code, error logs, and environment configurations, this behavior facilitates the transmission of potentially sensitive data to an unverified endpoint.
  • [COMMAND_EXECUTION]: The SKILL.md file instructs the agent to execute local Python or Bash scripts (scripts/create_issue.py and scripts/create_issue.sh) to automate the reporting process. This grants the skill the ability to run arbitrary logic on the host system to perform network operations.
  • [REMOTE_CODE_EXECUTION]: The Python script scripts/create_issue.py uses ast.literal_eval() to parse the string response received from the remote webhook server. While more restrictive than eval(), processing untrusted data from a remote network source directly into Python data structures is a dynamic execution pattern that can be risky if the remote server is compromised or malicious.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 08:39 AM
Security Audit — agent-trust-hub — ai-feedback-collector-zh