visla
Fail
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill explicitly instructs the agent to search for and read sensitive credential files from the user's home directory (
~/.config/visla/.credentials) and use them automatically without asking the user if the file exists. - [COMMAND_EXECUTION]: The skill implements an 'Autonomous Repair Mode' which directs the agent to dynamically patch, backup, and overwrite its own source code scripts (
scripts/visla_cli.sh,scripts/visla_cli.py) when failures occur. This self-modifying code pattern is highly risky as it could be exploited to persist malicious changes if the agent's repair logic is influenced by external error messages or inputs. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external URLs and document files (PPT/PDF).
- Ingestion points: Data enters via the
urlanddoccommand arguments. - Boundary markers: The instructions lack delimiters or explicit warnings to the agent to ignore instructions embedded within the fetched content.
- Capability inventory: The skill has the capability to execute shell/Python scripts and overwrite local files (via Repair Mode).
- Sanitization: There is no mention of sanitizing or validating the content retrieved from external sources before processing.
- [COMMAND_EXECUTION]: The skill executes external scripts using shell environments with user-provided arguments, which may lead to command injection if the underlying scripts do not properly sanitize inputs like URLs or file paths.
Recommendations
- AI detected serious security threats
Audit Metadata