Skills
skills/jfrog/ai-agent-examples/jfrog-system-config-repo/Gen Agent Trust Hub

jfrog-system-config-repo

Pass

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by processing external manifest files.
  • Ingestion points: Data is ingested from a user-provided or external YAML manifest file (referenced as $MANIFEST_FILE).
  • Boundary markers: Absent. The skill does not use delimiters or explicit 'ignore' instructions when interpolating manifest data into tool operations.
  • Capability inventory: The skill utilizes jf api (network and JFrog platform access), git (cloning and pushing to remote repositories), and curl (arbitrary HTTP requests), along with file system operations (mkdir, cp, rm).
  • Sanitization: Absent. Values extracted via yq (such as STATE_PROJECT, STATE_REPO, and STATE_GIT_REPO) are used directly in shell command strings without validation or escaping.
  • [COMMAND_EXECUTION]: The skill interpolates shell variables extracted from the manifest directly into bash commands. This pattern allows for command injection if a manifest file contains malicious characters (e.g., ;, &&, or backticks). Examples include construction of URLs for git operations and path parameters for jf api calls.
  • [DATA_EXFILTRATION]: The skill transmits the JFROG_ACCESS_TOKEN via headers to endpoints. Since the GITHUB_HOST and repository paths are configurable via the manifest file, an attacker-controlled manifest could potentially point these operations toward a malicious server to harvest credentials.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 29, 2026, 03:44 PM