Skills
skills/mathews-tom/armory/debug-investigator/Gen Agent Trust Hub

debug-investigator

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes several high-impact shell commands for its core functionality, including git (log, diff, bisect, checkout, reset) for history analysis and kill -QUIT <pid> for generating thread dumps. It also provides templates for creating and running custom shell scripts (bisect_test.sh) to automate debugging tasks.
  • [REMOTE_CODE_EXECUTION]: In references/instrumentation-points.md, the skill instructs users to use debugpy.listen(5678) to enable remote debugging. This operation opens a network port that, if not properly firewalled or authenticated, allows remote actors to attach a debugger and execute arbitrary code within the agent's environment.
  • [EXTERNAL_DOWNLOADS]: The references/bisection-guide.md file includes instructions for running pip install -e ., which triggers local package installation. This process executes setup.py or equivalent build scripts, leading to arbitrary code execution from the local directory during the bisection process.
  • [DATA_EXFILTRATION]: The skill is designed to access and analyze highly sensitive information, including source code, environment variables (echo $VAR), database states, and application logs. While intended for diagnosis, the instructions facilitate the exposure of credentials and system architecture details to the agent context.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted external data (logs and stacktraces) while possessing powerful system capabilities.
  • Ingestion points: System logs and error tracebacks are analyzed in SKILL.md, references/stacktrace-patterns.md, and references/log-analysis.md.
  • Boundary markers: No specific delimiters or instructions to ignore embedded commands within the ingested data are present.
  • Capability inventory: Includes shell command execution (git, kill), script generation/execution, and package management (pip).
  • Sanitization: No sanitization or validation mechanisms are described for the content of processed logs or tracebacks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 11:21 AM
Security Audit — agent-trust-hub — debug-investigator