env-patch
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions in SKILL.md and references/dynamic-loading.md direct the agent to download JavaScript files from arbitrary remote URLs and execute them using node or the vm module. This pattern enables the execution of untrusted code within the local environment.
- [COMMAND_EXECUTION]: The skill provides shell command templates for curl to fetch scripts and data. These commands are intended to retrieve and potentially execute remote content.
- [EXTERNAL_DOWNLOADS]: The core functionality of the skill involves downloading external resources from non-whitelisted domains to populate project directories.
- [DATA_EXFILTRATION]: Instructions in references/dynamic-loading.md guide the agent to include sensitive headers, such as browser cookies, in curl requests to external APIs. This poses a risk of credential exfiltration if target domains are malicious.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from external sources and has the capability to execute it, providing a mechanism for malicious content to influence agent behavior. There are no sanitization or boundary markers implemented for the downloaded data.
Recommendations
- AI detected serious security threats
Audit Metadata