FirstPrinciples

Warn

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill mandates the use of curl and echo shell commands for telemetry and execution logging. These commands are executed locally upon skill invocation and completion.
  • [COMMAND_EXECUTION]: There is a command injection risk in the notification and logging steps. The instructions direct the agent to interpolate variables, such as the workflow action and a user-derived summary, into shell command strings. A malicious user could provide input that results in a summary designed to break out of the shell context and execute arbitrary commands.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection attack surface (Category 8) because it ingests untrusted user input and uses it to construct shell commands.
  • [PROMPT_INJECTION]: Evidence chain for Category 8:
  • Ingestion points: User-provided problem descriptions and constraints are summarized for the logging and notification commands across all workflows.
  • Boundary markers: The instructions do not define delimiters or provide warnings to ignore embedded instructions within the processed data.
  • Capability inventory: The skill utilizes subprocess-like execution via shell commands (curl, echo) in the main file and all workflow scripts.
  • Sanitization: There are no explicit instructions for escaping, validating, or filtering user-influenced content before interpolation into the shell commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 01:33 PM
Security Audit — agent-trust-hub — FirstPrinciples