Skills
skills/simota/agent-skills/cull/Gen Agent Trust Hub

cull

Fail

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: CRITICALCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute powerful system-level commands via bash, including 'launchctl', 'systemctl', and 'ps' for process management. It also utilizes 'sudo' for certain operations, such as clearing DNS caches ('sudo killall -INFO mDNSResponder'), and suggests destructive commands like 'rm -rf' for deleting directories (e.g., 'rm -rf node_modules').
  • [DATA_EXFILTRATION]: The skill provides comprehensive patterns to locate and inspect highly sensitive files, including AWS credentials ('/.aws/credentials'), SSH private keys ('/.ssh/id_rsa'), and cryptocurrency wallet keystores ('~/.ethereum/keystore'). While intended for malware scanning, these capabilities provide a complete framework for credential harvesting and environment reconnaissance.
  • [EXTERNAL_DOWNLOADS]: The documentation references external security research resources for threat intelligence. Automated scanners flagged 'https://blog.flatt.tech/entry/mini_shai_hulud' and its variants as malicious or blacklisted. While these appear to be citations for campaign data, their presence triggers security alerts and requires validation before use.
  • [CREDENTIALS_UNSAFE]: The skill explicitly directs the agent to interact with and manage sensitive authentication tokens, including instructions for rotating AWS IAM keys, npm publish tokens, and GitHub Personal Access Tokens (PATs). It defines a specific sequence for handling these secrets, which involves reading their presence and status on the filesystem.
  • [PROMPT_INJECTION]: The skill employs strong, controlling language such as 'load-bearing rule', 'non-negotiable', and 'never instruct' to dictate agent behavior and prioritize specific workflows over standard safety checks, particularly regarding the order of service termination and credential rotation.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from the local environment, such as 'package-lock.json', 'requirements.txt', and system logs, to match against its IoC database.
  • Ingestion points: Reads contents of 'package-lock.json', 'pnpm-lock.yaml', 'requirements.txt', and terminal logs.
  • Boundary markers: No delimiters or 'ignore' instructions are used when interpolating file contents into the scanning logic.
  • Capability inventory: Includes bash execution, sensitive file reading, file deletion, and interaction with system service managers.
  • Sanitization: The skill lacks explicit sanitization or validation logic for external data before it is processed by the agent's logic.
Recommendations
  • CRITICAL: 1 infected file(s) detected - DO NOT USE
  • Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 13, 2026, 10:17 AM
Security Audit — agent-trust-hub — cull