adr-management
Fail
Audited by Gen Agent Trust Hub on May 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
createsubcommand inscripts/adr_manager.pycontains a path traversal vulnerability. The user-providedtitleargument is used to construct a filename without sanitizing directory traversal sequences like../. This allow an attacker to write markdown files to arbitrary locations outside the intendedADRs/directory.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes the content of existing ADR markdown files from the repository. If an attacker introduces a malicious file (e.g., via a Pull Request), its content is loaded into the agent's context during search or listing operations, which could lead to the agent following embedded malicious instructions.\n - Ingestion points:
adr_manager.py(list, get, and search subcommands) reads and outputs the contents of files from theADRs/directory.\n - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore instructions found within the processed files.\n
- Capability inventory: The skill possesses file read and write capabilities within the local environment.\n
- Sanitization: Absent. File content is printed directly to stdout and incorporated into the agent's active context without filtering or escaping.
Recommendations
- AI detected serious security threats
Audit Metadata