skills/ota-run/skills/ota/Gen Agent Trust Hub

ota

Fail

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Provides instructions for the agent to download and execute an installation script from the vendor's official domain (https://dist.ota.run/install.sh) by piping it directly to the shell. This is the documented installation path for the Ota CLI.
  • [EXTERNAL_DOWNLOADS]: Fetches installation scripts and configuration references from the vendor's infrastructure (ota.run) and official GitHub repositories (github.com/ota-run/).
  • [COMMAND_EXECUTION]: Instructs the agent to run various Ota-specific CLI commands, including ota doctor, ota run, and ota up, which can execute repository-defined tasks and manage system dependencies.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the local repository to analyze and model contracts.
  • Ingestion points: Reads repository manifest files including ota.yaml, package.json, README.md, lockfiles, and CI workflow files in SKILL.md.
  • Boundary markers: Absent. The instructions do not define specific delimiters or warnings to ignore commands embedded in the processed files.
  • Capability inventory: The agent is authorized to execute shell commands via the ota binary, including named tasks and dependency hydration steps.
  • Sanitization: Absent. Content read from the repository is processed without validation or structural filtering.
Recommendations
  • HIGH: Downloads and executes remote code from: https://dist.ota.run/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 6, 2026, 10:21 PM
Security Audit — agent-trust-hub — ota