art
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Several workflow files (e.g.,
Workflows/Essay.md) use strong behavioral-forcing language and 'MANDATORY' step requirements designed to override the agent's default operational behavior. - [PROMPT_INJECTION]:
Workflows/TechnicalDiagrams.mdincludes an instruction for the agent to 'Confirm this mentally for 1 full second', a pattern characteristic of prompt injection aimed at bypassing internal deliberation or forcing specific neural states. - [COMMAND_EXECUTION]: Multiple files in the
Workflows/directory containcurlcommands directed at a${PAI_NOTIFY_URL}. Although the mainSKILL.mdinstructs the agent to ignore these, their inclusion as code blocks provides a direct command execution surface. - [COMMAND_EXECUTION]: The
Tools/Generate.tsscript usesnode:child_process'sexecfunction to run ImageMagick and WebP utilities. The command strings are constructed via unsanitized string interpolation of file paths, which is vulnerable to shell command injection if malicious paths are passed as arguments. - [COMMAND_EXECUTION]: Instructions in
Workflows/Essay.mddirect the agent to execute a sequence of shell commands (magick,cwebp,rm,ls) on local files. This provides an opportunity for an attacker to achieve arbitrary command execution if they can influence the filenames processed by these workflows.
Audit Metadata