Skills
skills/compozy/skeeper/qa-report/Gen Agent Trust Hub

qa-report

Fail

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The shell scripts scripts/create_bug_report.sh and scripts/generate_test_cases.sh contain command injection vulnerabilities in the prompt_input function. The scripts use the eval command to dynamically assign user-supplied input to shell variables, which allows for the execution of arbitrary shell commands if the input contains command substitution patterns like $(...) or backticks. Furthermore, the scripts accept an output directory path as a command-line argument and use it in a mkdir -p command without sanitization. Since the AI agent is instructed in SKILL.md to execute these scripts and provide inputs based on user-supplied feature descriptions, this creates a direct path for unauthorized code execution on the host environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 11, 2026, 11:08 AM
Security Audit — agent-trust-hub — qa-report