yc-batch-evaluator
Fail
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to read sensitive API keys and configuration data from the local filesystem at
~/.gooseworks/credentials.jsonusing shell commands. - [DATA_EXFILTRATION]: Extracted credentials from the local filesystem are subsequently transmitted via
curlheaders to an external API endpoint atapi.gooseworks.ai. - [PROMPT_INJECTION]: Instructions explicitly command the agent to override standard interactive procedures with directives like "Do NOT ask clarifying questions. Just start immediately," which forces immediate execution and bypasses user confirmation loops.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting and processing content from arbitrary third-party websites in Step 3b.
- Ingestion points: Scrapes product and traction data from dynamic
{company_website}URLs. - Boundary markers: No delimiters or "ignore instructions" warnings are used to isolate untrusted web content from the agent's logic.
- Capability inventory: The agent can execute shell commands (
curl), read local files, and write data to external Google Sheets. - Sanitization: There is no evidence of validation or filtering for the scraped content before it is processed by the model.
- [COMMAND_EXECUTION]: The skill utilizes shell commands via
python3 -cto parse local JSON files and extract sensitive strings into environment variables. - [EXTERNAL_DOWNLOADS]: The skill relies on
npxto execute external packages (gooseworks login,goose-skills install) and performs numerous network requests to third-party APIs (Apollo, Perplexity, Scrapegraph) through a vendor-controlled proxy.
Recommendations
- AI detected serious security threats
Audit Metadata