ironclad
Fail
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Employs
curlto interact with Ironclad's API for listing and creating workflows, records, and webhooks. These commands utilize environment variables for instance configuration and authentication. - [EXTERNAL_DOWNLOADS]: Fetches contract documents from the configured Ironclad host and saves them to the local filesystem (
/tmp/contract.pdf). While automated scans flagged this as a potential remote code execution risk, the skill documentation only covers the download operation without instructions to execute the resulting file. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) by ingesting untrusted data from an external platform (Ironclad).
- Ingestion points: Data retrieved from the Ironclad API host (
$IRONCLAD_HOST) in response to GET requests for workflows and records (SKILL.md). - Boundary markers: None identified. The skill does not instruct the agent to treat data from the API as untrusted or separate it from system instructions.
- Capability inventory: File system write access (
/tmp), network operations (curl), and document downloading (SKILL.md). - Sanitization: No evidence of sanitization, validation, or escaping of the content returned by the API before processing.
- [DATA_EXFILTRATION]: Sensitive contract metadata and POST request bodies are written to temporary files in
/tmp(e.g.,/tmp/ironclad_workflow.json). This practice could lead to local data exposure in shared or insecure compute environments.
Recommendations
- HIGH: Downloads and executes remote code from: https://$IRONCLAD_HOST/public/api/v1/workflows/ - DO NOT USE without thorough review
Audit Metadata