relay-intake
Fail
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to process raw, potentially malicious user requests and transform them into structured task contracts. This data flow creates a surface where an attacker can embed instructions in the raw request to influence the generated JSON contract fields used by downstream tools.\n
- Ingestion points:
SKILL.md(argument hint) andscripts/persist-request.js(reads the contract). The agent processes raw user input to generate the contract.\n - Boundary markers: None found. No delimiters are used to wrap or isolate the untrusted raw request text.\n
- Capability inventory:
scripts/relay-request.jsperforms file writes and directory creation (fs.mkdirSync,fs.writeFileSync,fs.appendFileSync).\n - Sanitization: The normalization logic in
scripts/relay-request.js(e.g.,normalizeLeafHandoff) only performs basic type checking and string trimming, failing to validate against malicious path sequences.\n- [COMMAND_EXECUTION]: Path Traversal in File Operations. Thescripts/relay-request.jsfile uses theleaf_idfield from the user-influenced contract to build file paths without sanitization.\n - Evidence: In
scripts/relay-request.js, thenormalizeLeafHandofffunction takesleaf_idfrom the contract and only performs a.trim(). Later, in thepersistRequestContractfunction, thisleafIdis used to constructhandoffPathanddoneCriteriaPathusingpath.join(layout.relayReadyDir, fileName)wherefileName =${handoff.leaf_id}.md``. A maliciousleaf_idcontaining path traversal sequences (e.g.,../../../.ssh/authorized_keys) could allow the agent to write files to sensitive locations on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata