story
Fail
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent in Phase 3 to execute a command that writes a GitHub authentication token into the
~/.git-credentialsfile in plain text. Storing credentials unencrypted on the filesystem is an unsafe practice that exposes them to any entity with local file access.- [COMMAND_EXECUTION]: The instructions for Phase 3, Step 6 use shell command interpolation to pass an authentication token retrieved from theghCLI directly into a git configuration command. This pattern can lead to the token being exposed in system process logs or shell history.- [PROMPT_INJECTION]: The skill uses the first word of the user-provided$ARGUMENTSas a variable (style-name) to construct local file paths, such asstyles/{name}.html. The absence of path sanitization allows for directory traversal attacks, where a user could provide input like../../.ssh/id_rsato trick the agent into reading sensitive files.- [DATA_EXFILTRATION]: The skill creates a chain where sensitive content (potentially accessed via directory traversal) is incorporated into files that are subsequently pushed to a remote GitHub repository in Phase 3. This automated push mechanism can be abused to exfiltrate private data.- [PROMPT_INJECTION]: Indirect Prompt Injection vulnerability surface detected. - Ingestion points: User-supplied
$ARGUMENTSused for file path construction and content generation. - Boundary markers: None identified in the prompt templates.
- Capability inventory: Reading local files, writing local files, and performing network operations via git push.
- Sanitization: No evidence of input validation or path normalization for the style name argument.
Recommendations
- AI detected serious security threats
Audit Metadata