skills/patterai/skills/setup-patter/Gen Agent Trust Hub

setup-patter

Fail

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill implements a workflow that requires users to paste raw API keys and authentication tokens (including OpenAI, Twilio, ElevenLabs, and others) directly into the agent conversation. This exposes sensitive secrets to the agent's history and potential logging systems.
  • [COMMAND_EXECUTION]: The skill performs validation of user-provided keys by interpolating them into shell commands via curl. For example, it executes curl -H "Authorization: Bearer $OPENAI_API_KEY". This creates a command injection vulnerability if a user provides a value containing shell metacharacters.
  • [CREDENTIALS_UNSAFE]: The skill automates the creation of a .env file containing the collected secrets. While it advises the user to check .gitignore, the process of the agent handling these raw strings increases the risk of accidental exposure.
  • [EXTERNAL_DOWNLOADS]: The skill installs the getpatter library from standard package registries (PyPI and NPM). While these are official sources, the skill relies on the presence and integrity of these external dependencies at runtime.
  • [COMMAND_EXECUTION]: The skill generates and executes a test script (test_setup.py or test-setup.ts) that imports the installed library and initializes services using the user-provided credentials.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 2, 2026, 06:57 PM
Security Audit — agent-trust-hub — setup-patter