art

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Several workflow files (e.g., Workflows/Essay.md) use strong behavioral-forcing language and 'MANDATORY' step requirements designed to override the agent's default operational behavior.
  • [PROMPT_INJECTION]: Workflows/TechnicalDiagrams.md includes an instruction for the agent to 'Confirm this mentally for 1 full second', a pattern characteristic of prompt injection aimed at bypassing internal deliberation or forcing specific neural states.
  • [COMMAND_EXECUTION]: Multiple files in the Workflows/ directory contain curl commands directed at a ${PAI_NOTIFY_URL}. Although the main SKILL.md instructs the agent to ignore these, their inclusion as code blocks provides a direct command execution surface.
  • [COMMAND_EXECUTION]: The Tools/Generate.ts script uses node:child_process's exec function to run ImageMagick and WebP utilities. The command strings are constructed via unsanitized string interpolation of file paths, which is vulnerable to shell command injection if malicious paths are passed as arguments.
  • [COMMAND_EXECUTION]: Instructions in Workflows/Essay.md direct the agent to execute a sequence of shell commands (magick, cwebp, rm, ls) on local files. This provides an opportunity for an attacker to achieve arbitrary command execution if they can influence the filenames processed by these workflows.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 10:23 PM