detecting-attacks-on-historian-servers

Pass

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The agent script in scripts/agent.py performs network operations by scanning for open ports using the Python socket library to identify historian services (e.g., ports 5450, 8088).
  • [EXTERNAL_DOWNLOADS]: The skill relies on the standard requests library for all network-based API interactions. The scripts contain logic to notify the user if this dependency is missing.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The scripts/agent.py file allows users to disable TLS certificate verification by setting an environment variable SKIP_TLS_VERIFY. While a common feature for testing in OT environments with self-signed certificates, it could lead to data exposure if used in production settings.
  • [METADATA_POISONING]: There is a minor inconsistency between the author name 'mahipal' listed in the SKILL.md frontmatter and the name 'mukul975' mentioned in the LICENSE file.
  • [INDIRECT_PROMPT_INJECTION]: The skill provides an attack surface for indirect prompt injection because it ingests and processes untrusted time-series data and log files from external historians.
    • Ingestion points: Data is retrieved via requests.get from historian APIs in SKILL.md (lines 78, 92, 126) and scripts/agent.py (lines 52, 74, 98, 103).
    • Boundary markers: No delimiters or boundary instructions are used to separate retrieved data from agent instructions.
    • Capability inventory: The skill has network access via the requests library and file-writing capabilities in scripts/agent.py (line 173).
    • Sanitization: There is no evidence of sanitization or validation of the retrieved historian data before it is processed or analyzed.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 20, 2026, 11:04 PM
Security Audit — agent-trust-hub — detecting-attacks-on-historian-servers