summarize
Fail
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bash scripts in Phase 2 and Phase 3 interpolate the
$FILEand$TOPIC_KEYWORDSvariables directly into shell commands without sanitization, allowing for arbitrary command execution via shell metacharacters in the filename or topic arguments. - [PROMPT_INJECTION]: The 'Self-Evolving Skill' and 'Post-Execution Reflection' sections explicitly instruct the agent to modify its own
SKILL.mdfile. This self-modification capability can be exploited to achieve persistence of malicious instructions if an attacker can manipulate the input data to trigger a perceived 'failure' and suggest a malicious 'fix'. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted text files (recordings) without using boundary markers or sanitization. Malicious instructions embedded in the recorded content could be interpreted and executed by the agent during the analysis process, leveraging its access to tools like
BashandWrite.
Recommendations
- AI detected serious security threats
Audit Metadata