nas-knowledge-base
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands on a remote system via SSH (e.g.,
ls,cat,grep,rm). It constructs these commands by interpolating variables into shell strings (e.g.,ssh -p $KB_PORT $KB_USER@$KB_HOST "cat > '~/kb/<category>/<filename>.md' ..."), which presents a potential command injection surface if the agent does not strictly validate file paths and category names. - [DATA_EXFILTRATION]: The skill reads connection metadata from a local configuration file at
~/.config/knowledge-base/config.json. Additionally, it notes that the knowledge base may contain sensitive data like API keys and tokens, acknowledging the handling of sensitive content as a primary function of the skill. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes external data from a remote NAS that is not under the immediate control of the skill's static code.
- Ingestion points: Reading note content via
catand searching through files viagrepas described inSKILL.md. - Boundary markers: None identified for distinguishing file content from instructions.
- Capability inventory: Remote shell command execution via SSH across the NAS file system.
- Sanitization: No specific sanitization or escaping of note content is described before the agent processes it.
Audit Metadata