book-cover-design
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches installation guidelines and skill dependencies from an untrusted third-party GitHub repository (inference-sh/skills).
- [REMOTE_CODE_EXECUTION]: Promotes the installation and execution of the unverified 'belt' CLI tool and utilizes 'npx' to dynamically add and execute additional skills from an external source.
- [COMMAND_EXECUTION]: Directs the agent to execute shell commands using the 'belt' utility for authentication and application execution.
- [PROMPT_INJECTION]: Exhibits a vulnerability surface for indirect prompt injection. 1. Ingestion points: User-provided prompts in the 'belt app run' bash blocks in SKILL.md. 2. Boundary markers: No delimiters or escape sequences are present to isolate user input. 3. Capability inventory: Execution of arbitrary shell commands via the 'belt' CLI. 4. Sanitization: No input validation or sanitization is implemented for the interpolated prompt strings.
Audit Metadata