full-transcript
Warn
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Ruby script
full_transcript.rbaccepts alibrary_nameargument that is used to construct file paths without any validation or sanitization. This allows for path traversal attacks using sequences like../, enabling the skill to access or write to directories outside of the intendedlibraries/path. - [DATA_EXFILTRATION]: By exploiting the path traversal vulnerability, the skill can be manipulated to read sensitive files (such as
library.yamlor other internal data) from arbitrary locations on the host filesystem and write their contents into the outputfull_transcript.txtfile, leading to unauthorized data exposure. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it concatenates content from various external files (transcripts and summaries) into a single output file without using boundary markers, escaping, or sanitization. Malicious instructions embedded in a source transcript could influence the agent's behavior when it later reads the combined file.
- Ingestion points: The skill reads
library.yaml(line 69), transcript JSON files (line 92), and summary markdown files (line 78) located within the library directory. - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when joining content.
- Capability inventory: The skill performs file system read operations across multiple methods and a file system write operation in the
exportmethod (line 54). - Sanitization: There is no evidence of escaping, validation, or filtering of the external content before it is interpolated into the output text.
Audit Metadata