infrastructure-doc-sync
Fail
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to perform remote command execution via SSH. Specifically, it commands the agent to run:
ssh hass@192.168.10.17 "cd ~/docker_files && docker compose up -d dashy". This grants the agent direct shell access to a remote host to manage containers. - [EXTERNAL_DOWNLOADS]: The skill identifies remote targets for data synchronization, such as
docker_69:/home/hass/docker_files/infra_info/data/overview.json. This implies the agent is expected to access and retrieve data from external systems beyond the local workspace. - [PROMPT_INJECTION]: The skill processes untrusted data from the environment through its workflow to "Collect current runtime truth from hosts (containers, network mode, ports, and workload role)."
- Ingestion points: Runtime truth data collected from Docker hosts (file: SKILL.md).
- Boundary markers: None present to distinguish between system instructions and collected data.
- Capability inventory: SSH command execution, file writes to documentation and configuration files (
dashy/conf.yml,AGENTS.md). - Sanitization: No explicit sanitization or validation of the collected runtime data is mentioned before it is used to update documentation and configuration files. This creates a surface for indirect prompt injection if container metadata or host environment variables are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata