printing-press-reprint
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
python3 -cto calculate the age of research data, directly interpolating the$RESEARCHED_ATvariable into a Python script string. - Evidence: In Phase C, the value extracted from a
research.jsonfile is placed inside single quotes in a Python command:ts = '$RESEARCHED_AT'.replace('Z', '+00:00'). - Risk: If a CLI is imported from an untrusted or compromised registry, a maliciously crafted
researched_atfield could escape the Python string and execute arbitrary commands via the Python interpreter. - [EXTERNAL_DOWNLOADS]: The skill fetches and imports external data and configurations from a public registry.
- Evidence: Phase A involves fetching a
registry.jsonfrom a public library and invoking/printing-press-importto download CLI contents. - Context: While part of the intended functionality, this establishes a dependency on the integrity of the remote registry.
- [PROMPT_INJECTION]: The skill processes untrusted user input and external data which is then passed to subsequent agent tasks.
- Evidence: Phase D bundles a "freeform reprint reason" provided by the user and data from prior research into the prompt for the
/printing-pressskill. - Ingestion points:
SKILL.md(via user arguments andresearch.json). - Boundary markers: Absent; the content is passed verbatim.
- Capability inventory: The downstream
/printing-pressskill has access to Bash and file-writing tools. - Sanitization: None detected for the concatenated prompt data.
Audit Metadata