c2-evasion-methodology
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute build commands (via
bash) to verify that source modifications are functional. This involves running the project's build system (e.g., Makefile), which could execute arbitrary code contained within the project's build scripts or configuration if they have been maliciously crafted. - [PROMPT_INJECTION]: The skill implements a workflow that ingests untrusted external data in the form of YARA, Sigma, and Snort rules fetched from public GitHub repositories or via HTTP requests. This is a classic surface for Indirect Prompt Injection.
- Ingestion points: Rules are searched and retrieved from the internet as described in
references/detection-search.md. - Boundary markers: The instructions lack explicit delimiters or instructions to treat the external rule content as data rather than instructions, which may lead the agent to follow directions embedded within those rules.
- Capability inventory: The agent is granted capabilities to modify source code and execute shell commands (
bash), which could be abused if an injected instruction is followed. - Sanitization: There is no evidence of sanitization or validation of the external content before it is processed by the agent.
Audit Metadata