skills/iii-hq/workers/shell/Gen Agent Trust Hub

shell

Warn

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill exposes the shell::exec and shell::exec_bg functions, allowing for the execution of Unix shell commands on the host or in a sandbox. The instructions acknowledge that the host-based denylist is a simple regex check that can be bypassed by interpreters like Python, Node.js, or Shell, which can construct forbidden commands at runtime.
  • [COMMAND_EXECUTION]: Provides high-privilege filesystem operations via shell::fs::chmod, which allows changing file permissions and potentially altering owner UID/GID settings.
  • [COMMAND_EXECUTION]: Grants significant control over the system state through functions for writing files (shell::fs::write), deleting paths (shell::fs::rm), and modifying content via regex (shell::fs::sed).
  • [DATA_EXFILTRATION]: Facilitates access to sensitive system information and files through shell::fs::read, shell::fs::grep, and the coder::* suite (e.g., coder::read-file, coder::search), enabling the agent to read and potentially leak any data accessible within the host-root jail.
  • [COMMAND_EXECUTION]: Supports persistent background job execution (shell::exec_bg), which can be configured with an unbounded timeout, potentially allowing long-running unauthorized processes to remain active on the host.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by allowing the agent to ingest untrusted data from the filesystem that could contain malicious instructions.
  • Ingestion points: shell::fs::read, shell::fs::grep, and coder::read-file in SKILL.md.
  • Boundary markers: No specific delimiters or instruction-ignore warnings are implemented for processed file content.
  • Capability inventory: High-privilege actions like shell::exec, shell::fs::write, and shell::fs::chmod are available if the agent is manipulated by file content.
  • Sanitization: No validation or escaping of ingested file data is mentioned before it enters the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 4, 2026, 10:55 AM
Security Audit — agent-trust-hub — shell