Skills
skills/webmaxru/enonic-agent-skills/enonic-app-manager/Gen Agent Trust Hub

enonic-app-manager

Fail

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs users to install the Enonic CLI on Linux using a highly insecure pattern that pipes a remote shell script directly into the system shell.
  • Evidence: wget -qO- https://repo.enonic.com/public/com/enonic/cli/installer/cli-linux/1.0.0/cli-linux-1.0.0.sh | sh found in SKILL.md and references/cli-reference.md.
  • Risk: This allows for the immediate execution of arbitrary code from a remote server without any integrity checks or manual review, which can lead to full system compromise if the source or transport is intercepted.
  • [EXTERNAL_DOWNLOADS]: The skill downloads installers, dependencies, and configuration from various external sources.
  • Evidence:
  • Fetches an installer script from https://repo.enonic.com/.
  • Suggests installing the @enonic/cli package via npm.
  • References a Scoop bucket at https://github.com/enonic/cli-scoop.git for Windows installation.
  • Utilizes a Homebrew tap (enonic/cli) for macOS installation.
  • [COMMAND_EXECUTION]: The skill performs extensive local command execution to manage the Enonic XP lifecycle and project state.
  • Evidence:
  • Executes a custom Node.js script: node scripts/find-enonic-targets.mjs.
  • Executes the Enonic CLI with various administrative subcommands: enonic sandbox create/start/stop/delete, enonic project build/deploy/gradle.
  • Provides a bash template (assets/sandbox-setup.template.sh) that wraps multiple CLI operations.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it automatically ingests data from local project files and uses it to drive agent behavior.
  • Ingestion points: The scripts/find-enonic-targets.mjs script reads build.gradle, .enonic/sandbox.cfg, and gradle.properties files from the current workspace.
  • Boundary markers: There are no boundary markers or instructions for the agent to ignore malicious commands embedded within the project configuration files.
  • Capability inventory: The agent has the capability to create sandboxes, deploy applications, and run arbitrary Gradle tasks based on the values parsed from these files.
  • Sanitization: No sanitization, validation, or escaping is performed on the extracted strings (like project names or versions) before they are interpolated into shell commands.
Recommendations
  • HIGH: Downloads and executes remote code from: https://repo.enonic.com/public/com/enonic/cli/installer/cli-linux/1.0.0/cli-linux-1.0.0.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 12, 2026, 08:10 PM
Security Audit — agent-trust-hub — enonic-app-manager