Skills
skills/agairola/fuel-pricing-skill/sydney-commute/Gen Agent Trust Hub

sydney-commute

Fail

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes dynamic context injection in SKILL.md to execute shell commands automatically when the skill is loaded by the agent. This includes a script that accesses ~/.config/sydney-commute/credentials.json to verify the presence of an API key, which constitutes sensitive file access at load time.
  • [COMMAND_EXECUTION]: The commute.py script initiates a local HTTP server and opens a system web browser to perform high-accuracy geolocation using the browser's Geolocation API.
  • [EXTERNAL_DOWNLOADS]: The skill makes network requests to several external endpoints: api.transport.nsw.gov.au for official transit data, nominatim.openstreetmap.org for geocoding services, and ip-api.com for IP-based location fallback.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes data from external APIs (TfNSW and OpenStreetMap). While the instructions guide the agent to parse the JSON output into specific formats, the content originates from untrusted external sources.
  • Ingestion points: commute.py (TfNSW API responses, Nominatim geocoding data)
  • Boundary markers: The instructions in SKILL.md advise the agent to parse JSON from stdout and follow specific presentation rules, but no explicit 'ignore embedded instructions' markers are used for the API data itself.
  • Capability inventory: Bash(uv run *), Read, Write (specified in allowed-tools)
  • Sanitization: None detected in the script; the skill relies on the agent's instructions to correctly interpret and display the returned JSON data.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 5, 2026, 01:33 AM