camino-school-finder
Warn
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/school-finder.shis vulnerable to command argument injection. While thequeryparameter is URI-encoded usingjq, other parameters such aslat,lon,radius, andlimitare appended directly to thecurlcommand string after being extracted from JSON. Because these variables are expanded inside double quotes in thecurlcall, a maliciously crafted JSON input containing double quotes (e.g.,{"limit": "20\" -o /tmp/malicious"}) could break out of the URL string and inject additional arguments intocurl, potentially allowing for arbitrary file writes. - [EXTERNAL_DOWNLOADS]: The skill performs GET requests to
api.getcamino.aito fetch location data. This is the official API for the Camino AI suite as documented. - [DATA_EXFILTRATION]: The identified argument injection vulnerability in the
curlcommand could be leveraged to exfiltrate sensitive information by redirecting the output of the request or by injecting additional headers and parameters that point to an external server. - [INDIRECT_PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes location-based queries and coordinates which may originate from untrusted user input or external data sources.
- Ingestion points: User-provided search queries and location parameters processed by
scripts/school-finder.sh. - Boundary markers: None observed in the prompt or script to delimit untrusted data.
- Capability inventory: The skill has the ability to execute shell commands via
curlandjq. - Sanitization: Only the
queryparameter is URI-encoded; numeric and other string parameters lack sufficient validation or encoding.
Audit Metadata