augment
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes a local bash script (
kokoro-install.sh) with several flags (--health,--upgrade,--uninstall,--install) to manage the TTS environment. - [EXTERNAL_DOWNLOADS]: Downloads machine learning model weights from the
mlx-communityrepository on Hugging Face and updates Python packages (mlx-audio,soundfile,numpy) via PyPI. - [PROMPT_INJECTION]: Includes 'Self-Evolving Skill' and 'Post-Execution Reflection' instructions that direct the agent to modify the
SKILL.mdfile itself if issues are encountered. This creates a persistence mechanism where the agent can overwrite its own instructions. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect injection because it reads untrusted output from shell commands and version files, then uses that information to self-modify its instructions.
- Ingestion points: Output from the
--healthcheck command, the content of~/.local/share/kokoro/version.json, and results from the test synthesis command. - Boundary markers: None present; the agent is not instructed to distinguish between legitimate system output and potential embedded instructions.
- Capability inventory: The skill possesses full shell access via the
Bashtool and the ability to modify its own source files. - Sanitization: No validation or sanitization is performed on the data ingested before it is used to update the skill's logic.
Audit Metadata