validating-tpm-measured-boot-attestation

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several system commands related to TPM 2.0 management and attestation.
  • Evidence: In scripts/agent.py, the run() function uses subprocess.run() to execute binaries including tpm2_pcrread, tpm2_eventlog, tpm2_createprimary, tpm2_create, tpm2_load, tpm2_readpublic, tpm2_quote, and tpm2_checkquote.
  • Safety Note: Commands are executed using list-based arguments without a shell (shell=False equivalent), which protects against standard shell injection vulnerabilities. The operations are consistent with the skill's stated purpose of hardware integrity verification.
  • [PRIVILEGE_ESCALATION]: The skill instructions and scripts involve operations that require elevated privileges (root/sudo).
  • Evidence: SKILL.md instructs the user to run sudo python scripts/agent.py. This is necessary because the TPM device nodes (/dev/tpm0) and kernel measurement logs (/sys/kernel/security/tpm0/binary_bios_measurements) are typically restricted to the root user.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external data that could theoretically contain malicious instructions.
  • Ingestion points: scripts/agent.py reads the binary BIOS measurement log from the kernel and user-supplied baseline JSON files.
  • Capability inventory: The script can execute system commands via subprocess.run and write JSON reports to the filesystem.
  • Boundary markers: None present in the data ingestion logic.
  • Sanitization: The script uses regular expressions to parse command output and validates JSON structures, but does not explicitly sanitize the raw binary log data. However, as this data originates from the system firmware/kernel, it is considered a trusted source in this context.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 03:45 PM
Security Audit — agent-trust-hub — validating-tpm-measured-boot-attestation