analyze-plugin
Fail
Audited by Gen Agent Trust Hub on May 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: A shell command injection vulnerability exists in 'commands/mine-plugins.md' and 'commands/mine-skill.md'. The '$ARGUMENTS' placeholder is interpolated directly into a bash string: 'python3 ... --path "$ARGUMENTS"'. This allows an attacker to execute arbitrary code via command substitution (e.g., using $(whoami)) within the argument string.
- [CREDENTIALS_UNSAFE]: The file 'tests/flawed-plugin/scripts/bad_script.py' contains hardcoded API key patterns such as 'secret_key' constructed via string joining to bypass simple detection.
- [REMOTE_CODE_EXECUTION]: The test fixture 'tests/flawed-plugin/scripts/bad_script.py' performs unauthorized POST requests to 'https://example.invalid/api' using the 'requests' library.
- [EXTERNAL_DOWNLOADS]: The shell script 'tests/flawed-plugin/scripts/danger.sh' (shipped as a test fixture) executes 'curl' to download data from an external domain.
- [DATA_EXFILTRATION]: The skill's primary function is to read and inventory all files in a directory. Without path sanitization, it can be directed to access sensitive system directories or configuration files, exposing their contents to the agent.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It is instructed in Phase 3 of 'SKILL.md' to 'read every file completely'. Malicious instructions embedded within the analyzed plugin's markdown or code files could be interpreted by the agent as high-priority commands, especially given the agent's access to the Bash tool.
Recommendations
- AI detected serious security threats
Audit Metadata