vault
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill specifies shell command patterns (using
grep,find, andcat) that directly incorporate user-supplied search queries and vault paths. This creates a significant command injection surface if the agent executes these commands as written without sanitizing shell metacharacters (e.g.,;,&,|). If a user provides a malicious search query or a path like~/notes; rm -rf /, it could lead to arbitrary code execution. - [DATA_EXFILTRATION]: The skill permits the agent to read arbitrary file paths on the system by 'connecting' them as vaults. An attacker could use social engineering to trick a user into connecting sensitive directories (such as
~/.sshor~/.aws) or exploit the command injection vulnerability to read and potentially exfiltrate sensitive system secrets. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted external data from markdown notes.
- Ingestion points: Contents of markdown files from external vault paths entering the agent context during search or read operations (SKILL.md).
- Boundary markers: Absent; the agent is instructed to read the files directly into its context without delimiters or warnings to ignore embedded instructions.
- Capability inventory: Execution of
grep,cat, andfindsubprocesses which can be influenced by file content or used to retrieve more data (SKILL.md). - Sanitization: Absent; the content of the files is read and processed without filtering or escaping techniques.
Audit Metadata