mycelium
Fail
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions advise users to install components by piping a remote script directly to bash:
curl -fsSL https://raw.githubusercontent.com/openprose/mycelium/main/install.sh | bash. This execution pattern is insecure as it runs unverified code from a remote source with the user's local privileges.\n- [COMMAND_EXECUTION]: The skill configuration includes the registration of several automated hooks (PostToolUse,SessionStart,Stop,SubagentStart) that execute shell and Python scripts automatically during the agent's operation, establishing a persistent execution environment for external tools.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its design of surfacing external git notes as context for the agent.\n - Ingestion points: Data is ingested from
refs/notes/myceliummetadata via themycelium.shtool and injected into the agent's context asadditionalContext.\n - Boundary markers: No delimiters or safety warnings are specified to separate the retrieved notes from the agent's instructions.\n
- Capability inventory: The skill leverages automated hooks and shell scripts that can modify the file system and execute git commands.\n
- Sanitization: There is no indication that the contents of the git notes are sanitized or validated before being provided to the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/openprose/mycelium/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata