Skills
skills/andurilcode/skills/llms-txt-generator/Gen Agent Trust Hub

llms-txt-generator

Fail

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs shell commands by directly interpolating user input. In Phase 1, the placeholders {org} and {repo} are used in a git clone command. A malicious user could provide a repository identifier containing shell metacharacters (e.g., myorg/repo; malicious_command) to execute arbitrary code on the host system.
  • [DATA_EXFILTRATION]: Through the command injection vulnerability in the git clone operation, an attacker could execute secondary commands to read sensitive local data, such as environment variables or SSH keys, and transmit them to a remote server using tools like curl or wget.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core documentation processing logic.
  • Ingestion points: Documentation files (.md, .mdx, .rst, .txt) are fetched from untrusted remote repositories or local directories and read into the agent's context.
  • Boundary markers: Absent. The synthesis phases do not define delimiters or instructions for the agent to ignore potentially malicious directions embedded within the documentation text.
  • Capability inventory: The skill has access to shell execution (git, find) and filesystem writes (/mnt/user-data/outputs/).
  • Sanitization: Absent. There is no evidence of filtering or validation of the ingested content before it is processed by the LLM for synthesis.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 23, 2026, 10:50 AM
Security Audit — agent-trust-hub — llms-txt-generator