External Download
Skills that fetch and execute remote code, turning your agent into a malware delivery system
What is external download?
External download vulnerabilities occur when a skill downloads content from the internet and uses it in a potentially dangerous way. The classic pattern is fetching a script from a URL and piping it directly into a shell interpreter without inspection. But the category is broader than that: downloading binaries and executing them, fetching configuration files that override local settings, pulling in JavaScript that runs in an embedded browser, or retrieving serialized objects that execute code on deserialization.
The fundamental problem is trust delegation. When a skill downloads and runs remote code, you are trusting not just the skill author, but every server that code passes through, every CDN edge node, every DNS resolver in the chain. A compromised CDN or a DNS hijack turns a legitimate download into malware delivery.
Aguara detects sixteen patterns in this category, plus the SUPPLY_003 cross-category rule for download-and-execute chains. The detections cover remote script piping, dynamic binary downloads, remote script execution, archive extraction followed by execution, and more.
Why this matters for AI agents
AI agents amplify external download risks in two ways. First, the agent might download and execute code as part of normal tool use, making it hard for users to distinguish legitimate downloads from malicious ones. When your agent says "I will install this dependency for you," you probably approve it. You should not always.
Second, prompt injection can redirect downloads. A skill might be designed to download from a specific, trusted URL, but an injected instruction changes the URL to point at an attacker server. The skill download code is legitimate. The URL it is downloading from is not. The skill has no way to know the difference because the URL came from the agent, which got it from an injection.
The ephemerality of MCP sessions makes this worse. In a long-lived server, you might notice a suspicious binary that appeared overnight. In an agent session that spins up, does its work, and tears down, the evidence disappears. The downloaded malware runs, does its damage, and the session is gone.
Real-world examples
A "project setup" skill fetches a remote script and runs it directly via the shell to install dependencies. The domain is controlled by the skill author today, but the domain registration expires next month. An attacker registers the expired domain and replaces the script with a reverse shell. Every user who runs the skill after the domain takeover gets compromised.
A skill downloads a pre-built binary from a GitHub release, but does not verify the checksum. The skill works fine when the binary matches the expected version. But if the repository is compromised (or the download is intercepted), the skill runs whatever binary it receives. No integrity check means no detection.
A data-processing skill fetches a Python pickle file from a remote URL and deserializes it with pickle.loads(). Pickle deserialization executes arbitrary Python code by design. The remote server returns a pickle payload that, when deserialized, opens a reverse shell. The skill author may not even realize pickle is unsafe, since it is a standard library module.
How to protect against it
Never pipe downloaded content directly into a shell or interpreter. Always download first, verify integrity (checksums, signatures, or at minimum file size and type), inspect the content if feasible, then execute. This applies to scripts, binaries, configuration files, and serialized data.
Pin your dependencies to specific versions and verify their integrity. If your skill downloads a binary from GitHub Releases, include the expected SHA-256 hash and verify it before execution. If you use a package manager, lock your dependency versions. Avoid fetching "latest" from any URL.
As a user, pay attention when your agent downloads and runs things. If a skill needs to fetch external resources, it should document exactly what it downloads, from where, and why. Undocumented downloads are a strong signal of either poor security practices or malicious intent. Both are reasons not to install the skill.
Aguara detection rules (17)
Detects skills fetching external URLs to use as runtime instructions
Detects fetching remote documentation or code to load as agent context
Detects npx with -y flag that bypasses user confirmation for package installation
Detects global installation of packages which affects the host system
Detects instructions to modify shell config files for environment persistence
Detects automatic registration of MCP servers into agent configuration
Detects downloading a binary file followed by making it executable
Detects npx executing packages from unverified sources without pinned versions
Detects pip install of arbitrary packages that modify the host environment
Detects go install fetching and compiling arbitrary Go packages
Detects system-level package installation via brew, apt, yum, or dnf
Detects cargo install or gem install fetching packages from remote registries
Detects downloading scripts piped directly to a shell interpreter
Detects patterns that check for tool existence and install if missing
Detects pulling and running Docker images from external registries
Detects downloading binary, archive, or installer files from remote URLs
Detects patterns of downloading and piping to shell execution
Want to check if your skills have external download issues?
Scan now (free, runs in your browser)