unity-input-system
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The instruction in
references/runtime-checklist.mdadvises the agent to usecargo run -- <args>if theunity-clibinary is not found on the PATH and the workspace is the repository. This is a dynamic execution pattern that allows the agent to compile and run whatever code is present in the current workspace, posing a risk if the workspace contains malicious or untrusted source files. - [DATA_EXFILTRATION]: The skill utilizes network-based tool routing via
unity-cli system pingandunity-cli instances set-active <host:port>. While these are standard for managing Unity Editor instances, they provide the agent with network communication capabilities that could be misused if host/port parameters are manipulated to point to external or malicious endpoints. - [PROMPT_INJECTION]: The skill processes untrusted input through asset paths, map names, and action names which are interpolated into shell commands (e.g.,
unity-cli raw create_action_map --json '...'). - Ingestion points: User-provided strings for asset paths and configuration names in
SKILL.md. - Boundary markers: Arguments are wrapped in JSON strings, but there are no explicit instructions for the agent to sanitize or escape shell metacharacters within those strings.
- Capability inventory: The skill uses
Bash(unity-cli:*)as specified in theallowed-toolssection ofSKILL.md. - Sanitization: No sanitization logic or validation steps are provided before passing these inputs to the CLI tool.
Audit Metadata