minimal-run-and-audit
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/write_outputs.pydynamically loads and executes a Python module from a path computed at runtime. - Evidence: It uses
importlib.util.spec_from_file_locationto load a module from../../../shared/scripts/write_run_bundle.py. - Risk: This method of dynamic loading from computed paths outside the skill's directory can be exploited to execute arbitrary code if an attacker can influence the file system structure or contents in the shared directory.
- [COMMAND_EXECUTION]: The script
scripts/run_command.pyis designed to execute arbitrary shell commands provided via the--commandargument. - Evidence: The
execute_commandfunction takes a command string, splits it usingshlex.split, and passes it tosubprocess.run. - Risk: While
shlex.splitprevents some forms of basic shell injection, the utility effectively functions as a wrapper for arbitrary command execution within the agent's environment. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and parsing untrusted command output.
- Ingestion points:
scripts/run_command.pycaptures and combinesstdoutandstderrfrom executed commands. - Boundary markers: No explicit delimiters or instructions are used to separate the ingested command output from the agent's logic.
- Capability inventory: The skill has the capability to run subprocesses (
scripts/run_command.py) and load external Python modules (scripts/write_outputs.py). - Sanitization: The output is processed via regex (
METRIC_RE) for metric extraction, but the raw logs are stored inexecution_logand written to files without further sanitization, which could influence downstream agent actions if they contain malicious instructions.
Audit Metadata