sister-script
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is configured with the
run_terminal_cmdtool and explicitly describes a workflow for generating and executing shell commands and Python scripts. This is part of its intended 'LIFT' stage for automating proven procedures. - [INDIRECT_PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection through its
EXTRACTandFOLLOWmethods. These methods ingest untrusted data (user-defined Markdown procedures) and use them to generate executable Python code or perform agent actions. - Ingestion points: Data enters the agent context through
PROCEDURE.mdfiles and sister script manifests (SISTER.yml). - Boundary markers: The provided templates (PROCEDURE.md.tmpl) lack explicit delimiters or instructions to ignore embedded malicious prompts within the procedure steps.
- Capability inventory: The skill utilizes
write_fileto create scripts andrun_terminal_cmdto execute them, creating a path from untrusted text to system execution. - Sanitization: No explicit sanitization or validation of the input procedure content is defined before the code generation process.
Audit Metadata