aos-scaffold
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow in
SKILL.mdinstructs the agent to execute./tools/cli/scaffold.shwith user-provided<template>and<project-name>arguments. This pattern is vulnerable to command injection if a user provides input containing shell metacharacters such as semicolons, backticks, or pipes. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: The
<template>and<project-name>parameters are sourced from untrusted user input provided in the prompt. - Boundary markers: None present. The instructions do not use delimiters or provide warnings to the agent about treating these inputs as untrusted data.
- Capability inventory: The skill allows the execution of local shell scripts via
./tools/cli/scaffold.shand the creation of files and directories on the local filesystem. - Sanitization: There is no instruction for the agent to validate or sanitize the input strings (e.g., ensuring they are alphanumeric) before passing them to the shell script.
- Ingestion points: The
Audit Metadata