Skills
skills/first-fluke/fullstack-starter/oma-qa/Gen Agent Trust Hub

oma-qa

Warn

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides direct instructions to the agent to execute arbitrary shell commands for auditing and environment setup.
  • Evidence in SKILL.md: Instructions to run npm audit, bandit, and lighthouse.
  • Evidence in resources/execution-protocol.md: Instructions to start application servers (e.g., bun run dev, uv run manage.py runserver) and execute shell loops with curl for rate-limiting tests.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it is designed to process untrusted external data with high-privilege capabilities.
  • Ingestion points: Reads all project source files (Step 1), interacts with live web application DOM and network traffic (Step 2.5), and reads tool outputs.
  • Boundary markers: None identified. There are no instructions or delimiters provided to help the agent distinguish between code/data being audited and instructions to be followed.
  • Capability inventory: Full file system read access, shell command execution (subprocess calls), network operations via curl, and browser control via Chrome DevTools (including evaluate_script).
  • Sanitization: No sanitization or validation of the content being audited is mentioned.
  • [REMOTE_CODE_EXECUTION]: The skill uses dynamic execution and network interactions that could be leveraged for remote code execution if the input data is malicious.
  • Evidence in resources/execution-protocol.md: Uses evaluate_script(function) to run JavaScript in a browser context and evaluate_script(fetch) to trigger network requests.
  • The Execution Protocol (CLI Mode) in SKILL.md describes loading vendor-specific protocols from a computed path (../_shared/runtime/execution-protocols/{vendor}.md), which could be exploited if the {vendor} variable is influenced by untrusted input.
  • [DATA_EXFILTRATION]: While not explicitly malicious, the skill's ability to read all files (including those matching password.*=) and then use curl or browser-based fetch creates a clear path for data exfiltration if the agent is compromised by indirect prompt injection.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 10, 2026, 03:17 AM