scenario
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The scenario schema defined in references/scenario-schema.md includes a 'check' field explicitly designed to store and execute shell commands. These commands are run during the validation process (triggered by the /validation skill). Although this is functional, it provides a direct mechanism for arbitrary code execution.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection via the /scenario add command described in SKILL.md. User-provided narrative descriptions are used to infer scenario components, including shell commands, without explicit sanitization or boundary markers to prevent the injection of malicious instructions.
- Ingestion points: User-provided narrative descriptions via the 'ao scenario add' command in SKILL.md.
- Boundary markers: None identified; user input is directly processed to infer scenario components.
- Capability inventory: The skill generates JSON files containing shell commands that are later executed by a separate evaluation agent with access to the environment.
- Sanitization: No sanitization or validation of the inferred shell commands is documented or performed before writing to the holdout directory.
Audit Metadata