adguard-home
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONNO_CODE
Full Analysis
- Privilege Escalation (HIGH): The skill explicitly instructs the agent to use
sudovia SSH for service management (systemctl), log retrieval (journalctl), and software updates. Granting an agent the ability to execute privileged commands on a network-critical server presents a significant security risk. - Indirect Prompt Injection (HIGH): (1) Ingestion points: The skill reads untrusted data from DNS query logs (
/control/querylog) and external blocklist URLs. (2) Boundary markers: No delimiters or sanitization logic are defined in the instructions to prevent the agent from interpreting log entries as instructions. (3) Capability inventory: The skill has extensive 'write' and 'execute' capabilities, including modifying DNS rewrites, adding filtering rules, and executing shell commands. (4) Sanitization: None present. - Unverifiable Logic (MEDIUM): The primary functional component,
scripts/adguard_api.py, is missing from the skill package. This prevents auditing of how credentials are handled and whether any hidden exfiltration logic exists. - Credential Exposure (MEDIUM): Instructions require users to store
ADGUARD_PASSand SSH credentials in environment variables. If the agent's environment is not strictly isolated, these secrets are at risk of exposure.
Recommendations
- AI detected serious security threats
Audit Metadata