x-search
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating user-controlled variables (like the search topic) into a command string:
hermes -z "<prompt>". Because the prompt is wrapped in double quotes in a shell environment, any user input containing shell metacharacters such as backticks or$(...)will be evaluated and executed by the host shell before thehermestool is even invoked. - Evidence: The prompt templates in
SKILL.mdshow direct interpolation of user input into the shell command string. - [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from X (Twitter) posts. It explicitly instructs the agent to transcribe the text verbatim and "mirror the source," providing a significant attack surface for indirect prompt injection attacks where malicious instructions hidden in posts could hijack the agent's behavior.
- Ingestion points: Data fetched from X (Twitter) via the
x_searchtool (SKILL.md). - Boundary markers: Absent. The instructions demand verbatim transcription ("文字起こし") and do not include protective delimiters or "ignore instructions" warnings for the fetched content.
- Capability inventory: The skill has access to the
Bashtool, allowing it to execute local shell commands (SKILL.md). - Sanitization: None. The skill requires full text retrieval without filtering for potential injection patterns.
Recommendations
- AI detected serious security threats
Audit Metadata