setup
Warn
Audited by Gen Agent Trust Hub on May 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Project Configuration Wizard (Phase 3.5) exposes a command injection surface. The skill is instructed to execute a shell command using
Bashthat interpolates a user-providedwebhook_urldirectly:npx tsx ... {webhook_url} --write. Although a safety rule within the skill recommends validating that the URL starts with 'https://', this measure is insufficient to prevent the injection of shell metacharacters (e.g.,;,&,|) which could be used to execute arbitrary commands on the host system. - [EXTERNAL_DOWNLOADS]: The skill recommends and facilitates the installation of external software components. This includes the
agentation-mcppackage and various MCP servers such ascontext7-mcpandmemoryvianpmornpx. These operations are consistent with the skill's primary function as a setup and enhancement tool and are governed by reachability check rules defined in the skill's logic. - [DATA_EXFILTRATION]: The skill includes a telemetry system designed to stream session events to an external webhook. While this involves sending data to a remote endpoint, the implementation follows informed consent protocols: it is disabled by default, requires an explicit user choice between 'Skip', 'Summary', and 'Full', and clearly describes the scope of data collected (event types and metadata, rather than file contents or code).
- [PROMPT_INJECTION]: The instructions use authoritative markers such as 'CRITICAL' and 'MANDATORY' to ensure the agent follows specific task management and sequential execution patterns. In this context, these instructions are intended to coordinate a complex multi-phase workflow and ensure state persistence rather than to bypass the platform's core safety guidelines.
Audit Metadata