check
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to build a bash command string by directly interpolating user-supplied arguments such as file paths, brand slugs, and evidence paths. This pattern is vulnerable to command injection, as an attacker could provide input containing shell metacharacters (e.g., semicolons, backticks, or command substitution) to execute arbitrary commands in the host environment. Mitigation: Use structured execution methods that do not involve raw shell interpolation, or strictly validate and sanitize all user-provided strings before command construction.\n- [PROMPT_INJECTION]: The skill processes untrusted user-provided content (e.g., marketing drafts) as input for evaluation scripts, creating a surface for indirect prompt injection where embedded instructions could attempt to subvert the evaluation logic.\n
- Ingestion points: User-provided file paths or inline content processed by the eval scripts via the
/dm:checkcommand.\n - Boundary markers: Absent; the content is passed directly to the evaluation scripts without the use of delimiters or instructions to ignore embedded commands.\n
- Capability inventory: The skill is granted access to the
Bash,Read,Glob, andGreptools.\n - Sanitization: No input validation or instruction-filtering is described in the skill flow. Mitigation: Implement robust boundary markers around untrusted data and sanitize content to ensure the agent ignores any embedded instructions.
Recommendations
- AI detected serious security threats
Audit Metadata