training-check
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses unrestricted Bash and executes commands on remote servers via SSH (e.g., 'ssh server tail -100 /path/to/training.log') to access training logs. \n- [COMMAND_EXECUTION]: The skill uses 'CronCreate' to establish persistence by scheduling recurring tasks and specifically instructs the agent to automate this setup and management without seeking user approval ('do not ask the user whether to set it up. Just set it'). \n- [PROMPT_INJECTION]: The skill contains instructions that attempt to override the agent's standard interaction model by bypassing user consent for persistence mechanisms. \n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by ingesting untrusted data from external sources and interpolating it into a prompt for a secondary model. \n
- Ingestion points: WandB API run history and SSH log output. \n
- Boundary markers: Absent in the Codex prompt template. \n
- Capability inventory: Unrestricted shell access, file modification, and the ability to terminate sessions. \n
- Sanitization: No sanitization of the ingested content is performed before interpolation. \n- [DATA_EXFILTRATION]: The skill accesses potentially sensitive information, including training metrics and raw log files from remote servers, which may contain proprietary data or system information.
Audit Metadata