qiita
Fail
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
urlencodefunction inscripts/qiita.shis vulnerable to command injection via its use ofpython3 -c. The function interpolates the$stringshell variable directly into a Python command string using triple quotes ('''$string'''). An attacker can break out of the string literal by including triple quotes in the input, allowing for the execution of arbitrary Python code and shell commands. - Evidence:
python3 -c "import urllib.parse; print(urllib.parse.quote('''$string''', safe=''))"inscripts/qiita.sh. - Impact: Since the agent uses this script to process article titles, tags, and search queries—data which can be controlled by third parties on Qiita—this vulnerability could lead to a system compromise when the agent interacts with malicious content.
- [PROMPT_INJECTION]: The skill fetches and processes technical articles and comments from the Qiita platform, which are external, user-generated sources. This introduces a surface for indirect prompt injection attacks.
- Ingestion points:
scripts/qiita.shretrieves article content and metadata fromhttps://qiita.com/api/v2across multiple commands includingitem searchandcomment list. - Boundary markers: Absent. The agent receives the external content without delimiters or specific instructions to ignore embedded commands.
- Capability inventory: The script can read arbitrary local files via the
--body-fileparameter incmd_item_postand perform write or delete actions on articles and comments. - Sanitization: Absent. The script lacks sanitization for the natural language content it retrieves, relying only on structural JSON formatting via
jqand URL encoding for parameters.
Recommendations
- AI detected serious security threats
Audit Metadata