Skills
skills/replicas-group/skill/replicas-agent/Gen Agent Trust Hub

replicas-agent

Warn

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill requires the use of sudo to start and manage the Docker daemon as described in references/DOCKER.md. It also utilizes shell commands to execute background services via setsid and nohup in references/PREVIEWS.md.
  • [DATA_EXFILTRATION]: The skill instructs the agent to upload image data to Imgur, a third-party external service, in references/GITHUB.md. It also performs network operations using curl to interact with Slack and Linear APIs, transmitting data authenticated via environment variables (SLACK_BOT_TOKEN, LINEAR_ACCESS_TOKEN).
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted data from multiple external sources.
  • Ingestion points: The agent reads data from Slack threads (conversations.replies), Linear issues (issueSearch), and GitHub pull requests or issues (gh pr view, gh issue view).
  • Boundary markers: There are no specified boundary markers or instructions to delimit or ignore instructions embedded within the ingested data.
  • Capability inventory: The agent has the ability to execute shell commands (gh, docker, replicas), write to the filesystem (for service logging), and perform arbitrary network requests via curl.
  • Sanitization: The skill does not mention any sanitization, filtering, or validation steps for content retrieved from external integrations before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 11:03 AM