drive-tick

Warn

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill dynamically loads platform and sink adapter logic from relative file paths constructed using the --platform and --sink command-line arguments (e.g., ../drive/references/platforms/<platform>.md). This dynamic loading of instruction files presents a risk if the input arguments are not validated against an allowlist, as it could allow for the execution of unauthorized instruction sets.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface by consuming untrusted content from external sources like GitHub PR comments and user messages during the 'Inbox Handling' phase. This content can influence agent behavior and manifest amendments.
  • Ingestion points: External data enters through the platform adapter's inbox and state reports.
  • Boundary markers: No technical delimiters are enforced; the skill relies on instructional warnings in the 'Security' section.
  • Capability inventory: The skill can perform git commits, push code, and call the /do skill to implement changes.
  • Sanitization: The instructions recommend manual verification against the manifest but lack automated sanitization of external inputs.
  • [COMMAND_EXECUTION]: The skill uses a --run-id argument to construct a lock file path at /tmp/drive-lock-{run-id}. If this identifier is utilized in shell-based operations without sanitization, it could potentially allow for command injection.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 16, 2026, 07:38 AM
Security Audit — agent-trust-hub — drive-tick