sn-image-resume
Fail
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Potential shell command injection in
SKILL.md. TheWorker Agent Workflowdefines theUSER_PROMPTvariable using an unquoted heredoc (<< EOF) that interpolates$RESUME_CONTENT. Because this variable contains raw input from the user, an attacker can include shell command substitution patterns (e.g.,$(...)or backticks) that will be executed by the shell during the variable assignment. - [DATA_EXFILTRATION]: Insecure handling of sensitive user data in
SKILL.md. The skill writes the rawRESUME_CONTENTto a temporary file in/tmp/openclaw/sn-image-resume/<task_id>/. This location is often world-readable, potentially exposing sensitive Personally Identifiable Information (PII) to other users or processes on the system. - [PROMPT_INJECTION]: Vulnerability to indirect prompt injection in
SKILL.md. The skill exhibits the following characteristics: - Ingestion points: Untrusted user input enters the agent context via the
resume_contentparameter in theWorker Agent Workflow. - Boundary markers: Missing. The skill uses a simple text label (
Resume content:) rather than robust delimiters like XML tags or unique boundary strings to isolate user data. - Capability inventory: The skill has the capability to execute shell commands and trigger image generation via the
sn_agent_runner.pyscript. - Sanitization: Absent. There is no evidence of filtering, escaping, or validation of the
resume_contentbefore it is interpolated into the prompt for thesn-text-optimizetool.
Recommendations
- AI detected serious security threats
Audit Metadata