Skills
skills/jahrome907/minecraft-codex-skills/minecraft-imagegen/Gen Agent Trust Hub

minecraft-imagegen

Fail

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/scaffold-asset-brief.sh is vulnerable to shell command injection.
  • The script accepts user-controlled arguments via --type and --name.
  • These variables are interpolated into a heredoc (cat >"$target" <<EOF) used to generate a markdown file.
  • In Bash, using an unquoted heredoc delimiter (EOF instead of 'EOF') causes the shell to perform variable expansion and command substitution on the content before writing it.
  • A malicious user or an indirect prompt injection could provide a value such as $(id) or other shell commands as the --name or --type parameter, which would be executed by the host shell when the script runs.
  • The sanitization used for the slug variable does not protect the content written inside the heredoc.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 11, 2026, 07:21 AM