arkcli-gen
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides shell script templates (notably in
references/arkcli-gen.md) that utilize subshell execution and variable interpolation, such asVER=$(arkcli models get <name> ... | tr -d '"'). This pattern is vulnerable to command injection if the agent interpolates untrusted user input into the shell command without proper escaping, potentially allowing arbitrary code execution on the local system. - [DATA_EXFILTRATION]: The skill uses the
arkclitool with the--input @<path>argument to read local files and transmit them to a remote service for processing. While intended for providing reference material (e.g., images for Image-to-Video tasks), this capability can be abused to exfiltrate sensitive local files (such as SSH keys or credentials) if the agent is manipulated into reading arbitrary paths. - [PROMPT_INJECTION]: The skill constitutes an indirect prompt injection surface (Category 8) as it processes user-provided prompts and reference files which are then passed as arguments to a command-line tool.
- Ingestion points: User-supplied text prompts and local reference files ingested via the
--inputflag. - Boundary markers: None. The skill does not instruct the agent to use delimiters or ignore embedded instructions within the user input.
- Capability inventory: The skill executes a local binary (
arkcli) with network capabilities, reads local files, and writes files to the disk (--save-to). It also uses shell utilities liketr,jq, andbase66for data processing. - Sanitization: No validation or sanitization logic is provided to ensure that user-provided strings or file contents do not contain malicious payloads intended to influence the CLI tool's behavior.
- [EXTERNAL_DOWNLOADS]: The skill uses the vendor's CLI tool to download generated media assets from the 'volcengine' Ark platform to the local filesystem. These downloads are part of the skill's primary purpose and originate from the author's infrastructure.
Audit Metadata