troubleshoot
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill instructs the agent to ingest untrusted data directly from user-provided CLI output and error messages in step 1. This creates a surface for direct prompt injection where a user could provide instructions disguised as error logs to manipulate the agent's behavior.
- [COMMAND_EXECUTION]: In step 4, the skill explicitly allows the agent to 'run the commands' to apply fixes. While it includes a human-in-the-loop confirmation step ('Wait for confirmation on anything destructive'), this capability can be abused if the commands are generated from untrusted or malicious sources.
- [DATA_EXFILTRATION]: The skill accesses sensitive internal data sources including Slack, Notion, and Linear. A combination of indirect prompt injection and the ability to execute commands or present findings could be used to exfiltrate sensitive data from these platforms.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface (Category 8). \n
- Ingestion points: The skill ingests untrusted data from external platforms (Slack, Notion, Linear) and user-provided CLI output as specified in SKILL.md. \n
- Boundary markers: None. The skill does not provide delimiters or instructions to the agent to ignore instructions embedded within the retrieved content. \n
- Capability inventory: The skill has access to internal communication/documentation platforms and the ability to execute shell commands. \n
- Sanitization: None. There is no evidence of validation or filtering applied to the content retrieved from Slack, Notion, or Linear before it is processed by the agent.
Audit Metadata