setup
Fail
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Fetches and executes the
uvpackage manager installer from the official domain of a well-known technology provider (astral.sh). - [COMMAND_EXECUTION]: Executes an embedded Python script to initialize and update the local preference file at
~/.ouroboros/prefs.json. - [COMMAND_EXECUTION]: Modifies the agent's global configuration file (
~/.claude/mcp.json) to register the Ouroboros MCP server, enabling persistent tool access across sessions. - [DATA_EXFILTRATION]: Invokes the GitHub CLI (
gh api) to perform an authenticated outbound action (starring a repository) on behalf of the user. - [PROMPT_INJECTION]: Indirect prompt injection surface exists as the skill processes and modifies user-controlled project and configuration files.
- Ingestion points: Reads content from
CLAUDE.mdand system-level configuration files (~/.claude/mcp.json). - Boundary markers: No specific markers or delimiters are used to isolate processed file content from internal agent instructions.
- Capability inventory: The skill possesses capabilities including shell command execution (
curl,python3,gh,uvx,pipx), file system modification, and authenticated network operations. - Sanitization: The skill uses standard JSON parsing for configuration data but lacks content validation or sanitization for markdown file modifications.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata