setup-patter
Fail
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill implements a workflow that requires users to paste raw API keys and authentication tokens (including OpenAI, Twilio, ElevenLabs, and others) directly into the agent conversation. This exposes sensitive secrets to the agent's history and potential logging systems.
- [COMMAND_EXECUTION]: The skill performs validation of user-provided keys by interpolating them into shell commands via
curl. For example, it executescurl -H "Authorization: Bearer $OPENAI_API_KEY". This creates a command injection vulnerability if a user provides a value containing shell metacharacters. - [CREDENTIALS_UNSAFE]: The skill automates the creation of a
.envfile containing the collected secrets. While it advises the user to check.gitignore, the process of the agent handling these raw strings increases the risk of accidental exposure. - [EXTERNAL_DOWNLOADS]: The skill installs the
getpatterlibrary from standard package registries (PyPI and NPM). While these are official sources, the skill relies on the presence and integrity of these external dependencies at runtime. - [COMMAND_EXECUTION]: The skill generates and executes a test script (
test_setup.pyortest-setup.ts) that imports the installed library and initializes services using the user-provided credentials.
Recommendations
- AI detected serious security threats
Audit Metadata