full-transcript

Warn

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Ruby script full_transcript.rb accepts a library_name argument that is used to construct file paths without any validation or sanitization. This allows for path traversal attacks using sequences like ../, enabling the skill to access or write to directories outside of the intended libraries/ path.
  • [DATA_EXFILTRATION]: By exploiting the path traversal vulnerability, the skill can be manipulated to read sensitive files (such as library.yaml or other internal data) from arbitrary locations on the host filesystem and write their contents into the output full_transcript.txt file, leading to unauthorized data exposure.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it concatenates content from various external files (transcripts and summaries) into a single output file without using boundary markers, escaping, or sanitization. Malicious instructions embedded in a source transcript could influence the agent's behavior when it later reads the combined file.
  • Ingestion points: The skill reads library.yaml (line 69), transcript JSON files (line 92), and summary markdown files (line 78) located within the library directory.
  • Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when joining content.
  • Capability inventory: The skill performs file system read operations across multiple methods and a file system write operation in the export method (line 54).
  • Sanitization: There is no evidence of escaping, validation, or filtering of the external content before it is interpolated into the output text.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 03:47 PM
Security Audit — agent-trust-hub — full-transcript