bookstrap-edit
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The workflow scripts in SKILL.md use hardcoded database credentials (--user root --pass root) to connect to a SurrealDB instance for data retrieval and report storage.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute surreal sql commands, allowing interaction with the local system's database environment.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves manuscript content from the section table and passes it to an editor agent for qualitative analysis without sanitization.\n
- Ingestion points: Manuscript content is queried from the section table via surreal sql.\n
- Boundary markers: There are no boundary markers or instructions to ignore embedded prompts within the retrieved manuscript data.\n
- Capability inventory: The skill utilizes Bash, Read, and Edit tools, which could be leveraged if the agent follows malicious instructions embedded in the manuscript content.\n
- Sanitization: No validation, escaping, or filtering of the manuscript content is performed prior to processing.
Recommendations
- AI detected serious security threats
Audit Metadata