Skills
skills/dtyq/magic/env-manager/Gen Agent Trust Hub

env-manager

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell_exec in SKILL.md to run the scripts/env.py script for setting, unsetting, and listing environment variables.
  • [DATA_EXFILTRATION]: The script scripts/env.py identifies and interacts with sensitive configuration files (specifically .env files via get_magic_env_file()). While the script implements a mask() function to hide credentials in the list command output, it maintains full read/write access to these files.
  • [REMOTE_CODE_EXECUTION]: In scripts/env.py, the _setup_project_root and _init_path_manager functions perform dynamic path resolution by searching the directory tree for markers like setup.py. It then modifies sys.path at runtime to import internal modules (e.g., app.path_manager), which is a form of dynamic loading from computed paths.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted data (keys and values) from the agent's context and persists them to the filesystem.
  • Ingestion points: The script accepts arguments via sys.argv in main() which are then passed to cmd_set and cmd_unset.
  • Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the prompt templates.
  • Capability inventory: The script uses the python-dotenv library to write directly to .env files on the filesystem.
  • Sanitization: While keys are validated against a regex (^[A-Za-z_][A-Za-z0-9_]*$), the values are passed to the set_key function without explicit sanitization or validation within the script.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 10:27 AM