add-backend-tool
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions for the agent to modify its own source code (backend/main.py) and implement new Python functions at runtime. This self-modification capability allows for the injection of arbitrary logic into the agent's core execution loop.
- [COMMAND_EXECUTION]: The instructions explicitly suggest creating tools for 'run_terminal_command' and 'git operations'. If an attacker-controlled prompt leads the agent to define such a tool, they could gain unauthorized command-line access to the host environment.
- [DATA_EXFILTRATION]: The skill suggests capabilities like 'web scraping' and 'read_file'. These can be combined with custom tool definitions to read sensitive local data (e.g., credentials) and transmit it to external servers.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by processing user requests to extend agent capabilities. 1. Ingestion points: User mentions 'new tool', 'add tool', etc. (SKILL.md). 2. Boundary markers: None present. 3. Capability inventory: Writing to 'backend/main.py' and execution of custom functions via WebSocket loop. 4. Sanitization: None present beyond a brief instruction to 'consider security implications'.
- [EXTERNAL_DOWNLOADS]: The skill's installation process in the metadata uses curl to fetch instructions from an external GitHub repository that is not associated with a recognized trusted organization.
Recommendations
- AI detected serious security threats
Audit Metadata