doc-ctr-reviewer
Fail
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the AI agent to perform mandatory shell execution (bash) to calculate file and section hashes using sha256sum and sed. The inputs for these commands, such as <file_path> and section names, are extracted directly from Data Contract (CTR) and Requirement (REQ) documents (e.g., from @req tags or markdown links). This pattern is highly vulnerable to command injection if a document contains a crafted path or anchor name designed to execute arbitrary shell commands (e.g., using semicolons or backticks).\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests and processes untrusted documentation data that flows into the agent's context to guide its review and analysis logic.\n
- Ingestion points: Data Contract (CTR) and Requirement (REQ) documents, specifically targeting metadata tags, link paths, and section headings.\n
- Boundary markers: Absent; the skill provides no instructions to isolate document content or warn the agent against executing instructions found within the data.\n
- Capability inventory: Full shell access (via provided bash command templates), local file system read/write access (for report generation and drift cache maintenance), and state persistence via JSON files.\n
- Sanitization: Absent; there are no defined mechanisms to validate, escape, or sanitize the content and paths extracted from upstream artifacts before they are used in commands or logic.
Recommendations
- AI detected serious security threats
Audit Metadata