yc-batch-evaluator

Fail

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructs the agent to read sensitive API keys and configuration data from the local filesystem at ~/.gooseworks/credentials.json using shell commands.
  • [DATA_EXFILTRATION]: Extracted credentials from the local filesystem are subsequently transmitted via curl headers to an external API endpoint at api.gooseworks.ai.
  • [PROMPT_INJECTION]: Instructions explicitly command the agent to override standard interactive procedures with directives like "Do NOT ask clarifying questions. Just start immediately," which forces immediate execution and bypasses user confirmation loops.
  • [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting and processing content from arbitrary third-party websites in Step 3b.
  • Ingestion points: Scrapes product and traction data from dynamic {company_website} URLs.
  • Boundary markers: No delimiters or "ignore instructions" warnings are used to isolate untrusted web content from the agent's logic.
  • Capability inventory: The agent can execute shell commands (curl), read local files, and write data to external Google Sheets.
  • Sanitization: There is no evidence of validation or filtering for the scraped content before it is processed by the model.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands via python3 -c to parse local JSON files and extract sensitive strings into environment variables.
  • [EXTERNAL_DOWNLOADS]: The skill relies on npx to execute external packages (gooseworks login, goose-skills install) and performs numerous network requests to third-party APIs (Apollo, Perplexity, Scrapegraph) through a vendor-controlled proxy.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 2, 2026, 06:17 AM
Security Audit — agent-trust-hub — yc-batch-evaluator