qa-report
Fail
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper function
prompt_inputin bothscripts/create_bug_report.shandscripts/generate_test_cases.shutilizes theevalcommand to dynamically assign user-supplied strings to shell variables. The implementationeval "$var_name=\"$input\""fails to sanitize the$inputvariable, enabling command injection via shell metacharacters such as;,$(...), or backticks. An attacker or malicious input can execute arbitrary shell commands within the environment where the scripts are run. - [REMOTE_CODE_EXECUTION]: The procedural steps in
SKILL.md(Step 4 and Step 7) explicitly instruct the agent to execute these vulnerable shell scripts. Because these scripts are designed to take input from the agent's context, which may include untrusted data from user prompts or external sources, this vulnerability facilitates arbitrary code execution in the agent's operating environment. - [PROMPT_INJECTION]: The skill processes untrusted data from external sources such as Figma design specifications and user-provided feature descriptions. This creates a surface for indirect prompt injection where data entering the agent context could manipulate the agent's output or influence the execution of the vulnerable shell scripts. Ingestion points include the
qa-output-pathargument inSKILL.mdand Figma MCP integration described inreferences/figma_validation.md. The capability inventory includes the execution of local shell scripts. No sanitization, validation, or boundary markers are present in the provided files to mitigate the processing of embedded instructions.
Recommendations
- AI detected serious security threats
Audit Metadata