ota
Fail
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Provides instructions for the agent to download and execute an installation script from the vendor's official domain (
https://dist.ota.run/install.sh) by piping it directly to the shell. This is the documented installation path for the Ota CLI. - [EXTERNAL_DOWNLOADS]: Fetches installation scripts and configuration references from the vendor's infrastructure (
ota.run) and official GitHub repositories (github.com/ota-run/). - [COMMAND_EXECUTION]: Instructs the agent to run various Ota-specific CLI commands, including
ota doctor,ota run, andota up, which can execute repository-defined tasks and manage system dependencies. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the local repository to analyze and model contracts.
- Ingestion points: Reads repository manifest files including
ota.yaml,package.json,README.md, lockfiles, and CI workflow files inSKILL.md. - Boundary markers: Absent. The instructions do not define specific delimiters or warnings to ignore commands embedded in the processed files.
- Capability inventory: The agent is authorized to execute shell commands via the
otabinary, including named tasks and dependency hydration steps. - Sanitization: Absent. Content read from the repository is processed without validation or structural filtering.
Recommendations
- HIGH: Downloads and executes remote code from: https://dist.ota.run/install.sh - DO NOT USE without thorough review
Audit Metadata