korean-middle-korean
Fail
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill workflow instructs the agent to execute a Node.js script (scripts/korean_middle_korean.js) and pass user-provided text as a command-line argument (--text). This pattern is highly susceptible to shell command injection. If the agent does not properly escape the input before executing the command, an attacker can use shell metacharacters (e.g., ';', '&', '|') to execute arbitrary code on the host system.\n- [DATA_EXFILTRATION]: The helper script includes functionality to read arbitrary files from the filesystem via the --file argument using fs.readFileSync(). This provides a mechanism for an attacker to potentially read sensitive configuration files, environment variables, or private keys if they can influence the path provided to the script.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from files, stdin, or CLI arguments and returns the transformed output to the agent's context without sanitization or boundary markers.\n
- Ingestion points: The readInput function in scripts/korean_middle_korean.js reads data from --text, --file, and --stdin.\n
- Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands in the processed text.\n
- Capability inventory: The script can read any file the process has access to via fs.readFileSync.\n
- Sanitization: None. The text undergoes regex transformation but no security-focused sanitization.
Recommendations
- AI detected serious security threats
Audit Metadata