audit-skill-by-derailment
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch content from arbitrary GitHub repositories using
gh api. These files are downloaded to a temporary directory (/tmp/skill-test/) and subsequently used as primary instructions for a subagent. - [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It downloads untrusted
SKILL.mdand reference files from remote repositories and directs a subagent to follow their instructions. - Ingestion points:
SKILL.mdStep 1 downloads remote skill files via the GitHub API. - Boundary markers: Absent. The subagent prompt in Step 3 does not use delimiters or sanitization for the untrusted remote content.
- Capability inventory: The subagent follows the downloaded skill's workflow, which may include file reads, writes, and network operations across multiple scripts (e.g.,
scripts/launch-derailment.sh). - Sanitization: No validation or filtering is applied to the downloaded content before it is processed by the subagent.
- [COMMAND_EXECUTION]: The script
scripts/launch-derailment.shusesbash -lc "$agent_cmd"to execute a shell command provided by the user or environment. While intended for agent CLI integration, this pattern provides a direct path for arbitrary command execution.
Audit Metadata