research
Fail
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to construct and run shell commands using node "$CLI" where user-provided input from $ARGUMENTS and $QUERY is directly interpolated into the command line (e.g., inside the --businesses or --prospects flags). There are no instructions to sanitize this input or use shell-safe escaping, which can lead to arbitrary command execution if the input contains shell metacharacters like backticks, semicolons, or pipe symbols.\n- [DATA_EXFILTRATION]: The skill handles a sensitive API key (VP_API_KEY) retrieved from an MCP tool. Because of the command injection risk, this sensitive credential could be exfiltrated to an external server by a malicious user.\n- [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection as it processes external, untrusted data from user arguments and files.\n
- Ingestion points: Data enters through the $ARGUMENTS variable and external CSV or JSON files passed via the --from-file parameter.\n
- Boundary markers: The skill lacks any boundary markers or instructions to ignore instructions embedded within the identifiers being processed.\n
- Capability inventory: The skill can execute shell commands (node), write to the filesystem (mktemp, redirection), and interact with the network (via the underlying CLI tool).\n
- Sanitization: No sanitization, validation, or escaping logic is defined for the external content before it is processed into JSON or executed via the shell.
Recommendations
- AI detected serious security threats
Audit Metadata