shell-session
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a tool for running arbitrary bash commands with persistent state (working directory, environment variables). This provides the agent with extensive system access as per its intended design.
- [REMOTE_CODE_EXECUTION]: The skill documentation includes examples of software installation (e.g.,
pip install -q requests). These examples reference well-known packages and established registries. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection. Because the tool is designed to read and process data from the environment, malicious instructions embedded in file contents or command outputs could potentially be interpreted as instructions by the agent.
- Ingestion points: Commands that read file content, list directories, or fetch network data via the
shell-sessiontool. - Boundary markers: None; there are no specified delimiters or instructions to ignore embedded commands in the tool's output.
- Capability inventory: The skill provides full shell capabilities across all scripts and instructions.
- Sanitization: No sanitization or validation of data retrieved via the shell is defined.
Audit Metadata