cs-decide
Warn
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Python script
codestable/tools/search-yaml.pyusing shell commands. The search patternpython codestable/tools/search-yaml.py --query "{关键词}"involves direct interpolation of user-supplied text into a shell command line. If the agent or the execution environment fails to properly escape shell metacharacters (e.g.,;,&,|,`) in the{关键词}placeholder, an attacker could execute arbitrary commands on the host system. - [INDIRECT_PROMPT_INJECTION]: Phase 1.5 of the workflow involves searching and reading existing decision documents from the
codestable/compound/directory. This creates a vulnerability surface where malicious instructions embedded in previously archived files could influence the agent's behavior during the archiving or review process. - Ingestion points: Files located in
codestable/compound/are read via thesearch-yaml.pytool. - Boundary markers: None identified. The skill does not specify using delimiters or instructions to ignore embedded commands when reading search results.
- Capability inventory: The skill has the capability to write files to the project directory and execute local shell scripts.
- Sanitization: No explicit sanitization or validation of the content of existing decision files is mentioned before processing.
Audit Metadata