agent-rules
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/verify-commands.sh extracts and executes command strings from the AGENTS.md file using bash -c to ensure documented commands are functional.
- [REMOTE_CODE_EXECUTION]: The verification logic in scripts/verify-commands.sh contains a shell injection vulnerability. The is_safe_command function only validates that the first word of a command is in a whitelist (which includes curl and wget), allowing an attacker to execute arbitrary code by appending malicious commands using shell operators like semicolons or pipes in project files such as package.json or Makefile.
- [COMMAND_EXECUTION]: The skill possesses a significant indirect prompt injection surface. 1. Ingestion points: extract-commands.sh and extract-ci-commands.sh read from untrusted project configuration files. 2. Boundary markers: Data is interpolated into markdown tables in the generated AGENTS.md. 3. Capability inventory: The skill provides verify-commands.sh which executes these strings with the full privileges of the agent's shell. 4. Sanitization: Validation is limited to a simple first-word whitelist check that is easily bypassed.
Audit Metadata