doc-verifier
Fail
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a workflow to parse documentation files, extract code blocks or lines starting with shell prompt characters, and execute them using the Bash tool. This bypasses typical safety boundaries by allowing the content of text files to dictate system operations.
- [CREDENTIALS_UNSAFE]: Instructions direct the agent to read /etc/kolla/*/ and globals.yml. In OpenStack environments, these files are the primary storage for deployment secrets, including database passwords, service credentials, and cryptographic keys.
- [DATA_EXFILTRATION]: The skill utilizes curl for 'Endpoint Drift' detection. The combination of access to credential files and the ability to make network requests provides a technical path for exfiltrating sensitive system information.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. If a documentation file is compromised or contains maliciously formatted 'verification' steps, the agent's filtering logic (attempting to block destructive commands) can be bypassed through common shell techniques, leading to unauthorized system changes.
- Ingestion points: docs/operations-manual/ and docs/runbooks/
- Boundary markers: Absent
- Capability inventory: Bash (command execution), Read (file access), Grep, Glob, Curl (network access)
- Sanitization: Absent (reliance on brittle 'read-only' keyword filtering)
Recommendations
- AI detected serious security threats
Audit Metadata