printing-press-reprint

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses python3 -c to calculate the age of research data, directly interpolating the $RESEARCHED_AT variable into a Python script string.
  • Evidence: In Phase C, the value extracted from a research.json file is placed inside single quotes in a Python command: ts = '$RESEARCHED_AT'.replace('Z', '+00:00').
  • Risk: If a CLI is imported from an untrusted or compromised registry, a maliciously crafted researched_at field could escape the Python string and execute arbitrary commands via the Python interpreter.
  • [EXTERNAL_DOWNLOADS]: The skill fetches and imports external data and configurations from a public registry.
  • Evidence: Phase A involves fetching a registry.json from a public library and invoking /printing-press-import to download CLI contents.
  • Context: While part of the intended functionality, this establishes a dependency on the integrity of the remote registry.
  • [PROMPT_INJECTION]: The skill processes untrusted user input and external data which is then passed to subsequent agent tasks.
  • Evidence: Phase D bundles a "freeform reprint reason" provided by the user and data from prior research into the prompt for the /printing-press skill.
  • Ingestion points: SKILL.md (via user arguments and research.json).
  • Boundary markers: Absent; the content is passed verbatim.
  • Capability inventory: The downstream /printing-press skill has access to Bash and file-writing tools.
  • Sanitization: None detected for the concatenated prompt data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 08:33 PM
Security Audit — agent-trust-hub — printing-press-reprint