connect
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFENO_CODEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell interpolation to execute
python3 scripts/connector-status.py --action setup-guide --name <connector>andpython3 scripts/connector-status.py --action check --name <connector>. If the<connector>argument provided by the user is not properly sanitized, an attacker could inject malicious shell commands (e.g.,; rm -rf /). - [CREDENTIALS_UNSAFE]: The skill guides users through the setup of sensitive environment variables and API keys for platforms like Google Ads, Salesforce, and Twilio. While it provides instructions for secure handling, the management of these credentials within the agent's context increases the risk of accidental exposure if logs or outputs are not handled carefully.
- [NO_CODE]: The core logic of the skill resides in an external script
scripts/connector-status.pywhich is not included in the provided file list. This prevents a full security audit of the actual operations performed, such as how it validates inputs or interacts with the filesystem. - [PROMPT_INJECTION]: The skill features an indirect prompt injection surface in Step 3 and Step 4. It ingests data from a 'registry' via the
connector-status.pyscript and interpolates this potentially untrusted external content into the instructions presented to the user. This lacks explicit boundary markers or sanitization logic to prevent malicious instructions embedded in the registry from influencing the agent's behavior. - [DATA_EXFILTRATION]: The skill modifies local configuration via
.mcp.jsonand verifies the presence of environment variables. While no direct external exfiltration was detected, the capability to read environment variables and modify configuration files is a prerequisite for credential harvesting if combined with unauthorized network operations.
Audit Metadata