shell
Warn
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill exposes the
shell::execandshell::exec_bgfunctions, allowing for the execution of Unix shell commands on the host or in a sandbox. The instructions acknowledge that the host-based denylist is a simple regex check that can be bypassed by interpreters like Python, Node.js, or Shell, which can construct forbidden commands at runtime. - [COMMAND_EXECUTION]: Provides high-privilege filesystem operations via
shell::fs::chmod, which allows changing file permissions and potentially altering owner UID/GID settings. - [COMMAND_EXECUTION]: Grants significant control over the system state through functions for writing files (
shell::fs::write), deleting paths (shell::fs::rm), and modifying content via regex (shell::fs::sed). - [DATA_EXFILTRATION]: Facilitates access to sensitive system information and files through
shell::fs::read,shell::fs::grep, and thecoder::*suite (e.g.,coder::read-file,coder::search), enabling the agent to read and potentially leak any data accessible within the host-root jail. - [COMMAND_EXECUTION]: Supports persistent background job execution (
shell::exec_bg), which can be configured with an unbounded timeout, potentially allowing long-running unauthorized processes to remain active on the host. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by allowing the agent to ingest untrusted data from the filesystem that could contain malicious instructions.
- Ingestion points:
shell::fs::read,shell::fs::grep, andcoder::read-filein SKILL.md. - Boundary markers: No specific delimiters or instruction-ignore warnings are implemented for processed file content.
- Capability inventory: High-privilege actions like
shell::exec,shell::fs::write, andshell::fs::chmodare available if the agent is manipulated by file content. - Sanitization: No validation or escaping of ingested file data is mentioned before it enters the agent's context.
Audit Metadata