grid25
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
bash_toolto execute a local Python script (scripts/render.py) with arguments derived from user input and external search results. The instructions direct the agent to interpolate these strings directly into a shell command line. This creates a high risk of shell command injection if a user or a malicious search result provides a string containing shell metacharacters (e.g.,"; curl ... | bash; #). - [COMMAND_EXECUTION]: The rendering logic in
scripts/render.pyperforms simple string replacement to inject theindustryandresults_jsonvariables into HTML templates. These templates are subsequently displayed to the user via thevisualize:show_widgettool. Because there is no sanitization or escaping of these variables, malicious content (such as<script>tags) in the industry name or search results could execute arbitrary JavaScript in the user's interface (XSS). - [PROMPT_INJECTION]: The skill has a high exposure to indirect prompt injection due to its processing of untrusted data from the web.
- Ingestion points: Untrusted external data is fetched via the
web_searchtool in Step 5 and processed into a JSON format. - Boundary markers: No boundary markers or instructions are present to prevent the agent from obeying instructions embedded within the search results.
- Capability inventory: The skill possesses powerful capabilities including
bash_tool(shell access),web_search, andvisualize:show_widget(UI rendering). - Sanitization: No sanitization or validation is performed on the data before it is passed to the shell or the rendering engine.
Recommendations
- AI detected serious security threats
Audit Metadata