Prompting
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
RenderTemplate.tsscript executes the system commandlsusingBun.spawnSyncto list and register Handlebars partials from the localPartialsdirectory. Additionally, theSKILL.mdfile instructs the agent to execute acurlcommand upon invocation. - [DATA_EXFILTRATION]: The skill requires a mandatory notification via
curltohttp://localhost:31337/notify. While restricted to the local network, this operation transmits session-related metadata (workflow name and action) to a local service. - [PROMPT_INJECTION]: The skill operates as a prompt generator that ingests data from external YAML and JSON files, creating a vulnerability surface for indirect prompt injection.
- Ingestion points: Data is loaded from files in the
Templates/Data/directory via theloadDatafunction inRenderTemplate.ts. - Boundary markers: The Handlebars templates (e.g.,
Briefing.hbs,Gate.hbs) do not include delimiters or instructions to ignore embedded commands within the variables. - Capability inventory: The skill environment permits network operations (
curlinSKILL.md) and local command execution (Bun.spawnSyncinRenderTemplate.ts). - Sanitization: There is no evidence of validation or escaping performed on the external data before it is rendered into a prompt for use by an AI agent.
Audit Metadata