story

Fail

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructs the agent in Phase 3 to execute a command that writes a GitHub authentication token into the ~/.git-credentials file in plain text. Storing credentials unencrypted on the filesystem is an unsafe practice that exposes them to any entity with local file access.- [COMMAND_EXECUTION]: The instructions for Phase 3, Step 6 use shell command interpolation to pass an authentication token retrieved from the gh CLI directly into a git configuration command. This pattern can lead to the token being exposed in system process logs or shell history.- [PROMPT_INJECTION]: The skill uses the first word of the user-provided $ARGUMENTS as a variable (style-name) to construct local file paths, such as styles/{name}.html. The absence of path sanitization allows for directory traversal attacks, where a user could provide input like ../../.ssh/id_rsa to trick the agent into reading sensitive files.- [DATA_EXFILTRATION]: The skill creates a chain where sensitive content (potentially accessed via directory traversal) is incorporated into files that are subsequently pushed to a remote GitHub repository in Phase 3. This automated push mechanism can be abused to exfiltrate private data.- [PROMPT_INJECTION]: Indirect Prompt Injection vulnerability surface detected.
  • Ingestion points: User-supplied $ARGUMENTS used for file path construction and content generation.
  • Boundary markers: None identified in the prompt templates.
  • Capability inventory: Reading local files, writing local files, and performing network operations via git push.
  • Sanitization: No evidence of input validation or path normalization for the style name argument.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 29, 2026, 02:15 AM
Security Audit — agent-trust-hub — story