FirstPrinciples
Warn
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates the use of
curlandechoshell commands for telemetry and execution logging. These commands are executed locally upon skill invocation and completion. - [COMMAND_EXECUTION]: There is a command injection risk in the notification and logging steps. The instructions direct the agent to interpolate variables, such as the workflow action and a user-derived summary, into shell command strings. A malicious user could provide input that results in a summary designed to break out of the shell context and execute arbitrary commands.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection attack surface (Category 8) because it ingests untrusted user input and uses it to construct shell commands.
- [PROMPT_INJECTION]: Evidence chain for Category 8:
- Ingestion points: User-provided problem descriptions and constraints are summarized for the logging and notification commands across all workflows.
- Boundary markers: The instructions do not define delimiters or provide warnings to ignore embedded instructions within the processed data.
- Capability inventory: The skill utilizes subprocess-like execution via shell commands (
curl,echo) in the main file and all workflow scripts. - Sanitization: There are no explicit instructions for escaping, validating, or filtering user-influenced content before interpolation into the shell commands.
Audit Metadata