drive-tick
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill dynamically loads platform and sink adapter logic from relative file paths constructed using the
--platformand--sinkcommand-line arguments (e.g.,../drive/references/platforms/<platform>.md). This dynamic loading of instruction files presents a risk if the input arguments are not validated against an allowlist, as it could allow for the execution of unauthorized instruction sets. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface by consuming untrusted content from external sources like GitHub PR comments and user messages during the 'Inbox Handling' phase. This content can influence agent behavior and manifest amendments.
- Ingestion points: External data enters through the platform adapter's inbox and state reports.
- Boundary markers: No technical delimiters are enforced; the skill relies on instructional warnings in the 'Security' section.
- Capability inventory: The skill can perform git commits, push code, and call the
/doskill to implement changes. - Sanitization: The instructions recommend manual verification against the manifest but lack automated sanitization of external inputs.
- [COMMAND_EXECUTION]: The skill uses a
--run-idargument to construct a lock file path at/tmp/drive-lock-{run-id}. If this identifier is utilized in shell-based operations without sanitization, it could potentially allow for command injection.
Audit Metadata