cnb-skill
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The entry script
scripts/core/index.jsdynamically loads tool modules usingrequire()with a path constructed from user-supplied command-line arguments (moduleandtool). This dynamic loading pattern is a security risk as it could potentially allow for path traversal or arbitrary file inclusion if the agent is tricked into passing malicious parameters. - [COMMAND_EXECUTION]: The core instructions in
SKILL.mdexplicitly direct the agent to skip user confirmation before executing operations (CRITICAL: 不要询问用户'是否需要我执行',直接根据帮助信息执行脚本). This autonomy-focused instruction reduces human oversight and increases the danger of the agent performing unintended or malicious actions if it encounters a prompt injection. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests untrusted data from the CNB platform (issues, pull requests, comments) through various listing and detail-fetching modules (e.g.,
list-issues.js,get-pull.js). - Ingestion points: Numerous modules in
scripts/modules/issues/andscripts/modules/pulls/read external markdown content into the agent's context. - Boundary markers: The instructions do not include delimiters or system-level warnings to the agent to ignore any embedded instructions within the platform data.
- Capability inventory: The agent has
Bashaccess to run internal scripts, can perform network requests to the CNB API, and can write files to the system's temporary directory. - Sanitization: No sanitization of the fetched markdown content is performed to filter out or escape potential prompt injection strings before the data is processed by the agent.
Audit Metadata