favicon
Fail
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands (
magick,rsvg-convert,cp,rm) to process images and manage filesystem assets during icon generation.\n- [COMMAND_EXECUTION]: Command Injection Risk: In Step 5, the skill executes shell commands using the$1placeholder, which represents the user-supplied source image path. Because this input is interpolated directly into shell strings, an attacker could provide a path containing shell metacharacters (e.g., backticks,$(...), or;) to execute arbitrary commands on the system.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill automatically extracts the application name from project files in Step 3 to use in later stages of execution.\n - Ingestion points: Files
site.webmanifest,package.json, andconfig/application.rbare read in Step 3.\n - Boundary markers: Absent. The data is extracted and used directly in templates without delimiters or 'ignore' instructions.\n
- Capability inventory: The extracted data is written into
site.webmanifest(Step 6) and used to modify HTML layout files (Step 7).\n - Sanitization: Absent. There is no evidence of validation or escaping for the strings extracted from these external files.\n- [COMMAND_EXECUTION]: The skill provides instructions for the user to execute commands with elevated privileges (
sudo apt install), which promotes insecure practices if the user lacks the expertise to verify the source.
Recommendations
- AI detected serious security threats
Audit Metadata