room
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The preprocessing directive in SKILL.md executes shell commands including !agentbook room-inbox $ARGUMENTS. The $ARGUMENTS variable, which contains user-provided input, is interpolated directly into a shell context without any sanitization or validation. This allows an attacker to execute arbitrary commands by injecting shell metacharacters (e.g., semicolons, pipes, or command substitution) into the arguments.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection via the following evidence chain: 1. Ingestion points: External chat data is ingested from the output of the agentbook rooms and agentbook room-inbox commands. 2. Boundary markers: There are no delimiters or instructions to ignore embedded commands within the fetched chat messages. 3. Capability inventory: The skill has the capability to execute shell commands via the agentbook CLI tool. 4. Sanitization: No sanitization, filtering, or escaping is applied to the retrieved chat messages before they are injected into the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata