Skills
skills/firetiger-oss/skills/monitor-rollout/Gen Agent Trust Hub

monitor-rollout

Pass

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill processes monitoring plan files (e.g., in .rollout/) and extracts a 'rollback hint' which is reproduced verbatim in reports and passed to other agent modes. This creates an opportunity for an attacker to influence agent behavior if the plan file is sourced from untrusted data (like a PR body). * Ingestion points: Monitoring plan markdown files provided as arguments or discovered in the repository. * Boundary markers: None identified; content is parsed and interpolated directly into prompts. * Capability inventory: Includes shell command execution (via Bash tool), network requests (via curl), and the ability to pivot agent context via EnterPlanMode. * Sanitization: No sanitization or validation of the extracted 'rollback hint' or 'indicator notes' is performed before re-injection into the agent session. (Evidence: SKILL.md, references/plan-mode-handoff.md).- [COMMAND_EXECUTION]: Dynamic Shell Command Construction. The skill's workflow involves constructing and executing shell commands defined within the monitoring plan. It specifically instructs the agent to substitute variables (e.g., <merge_sha>) into these commands before running them. (Evidence: SKILL.md step 3, references/deploy-detection-recipes.md).- [DATA_EXFILTRATION]: Handling of Authentication Tokens. Polling scripts for Buildkite and Vercel use environment variables (BUILDKITE_API_TOKEN, VERCEL_TOKEN) for authentication. While these are sent to official API endpoints, the skill also possesses generic network capability through poll_http.sh, which could be used to send data to arbitrary URLs. (Evidence: scripts/poll_buildkite.sh, scripts/poll_vercel.sh, scripts/poll_http.sh).- [EXTERNAL_DOWNLOADS]: Recommended Installation Path. The skill includes a check script that suggests installing other skills from the author's repository using npx skills add firetiger-oss/skills. This involves downloading and executing external code from the npm registry. (Evidence: scripts/check_companion.sh).
Audit Metadata
Risk Level
SAFE
Analyzed
May 6, 2026, 02:07 AM
Security Audit — agent-trust-hub — monitor-rollout