report
Fail
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The directory resolution logic in Phase 0 contains a shell command injection vulnerability. The skill instructs the agent to execute a Bash script that resolves the
REPORTS_DIRvariable using anechofallback command with direct variable interpolation:echo "./reports/$TOPIC_SLUG". Since theTOPIC_SLUGis extracted from an external data file (state.json) and is not validated for shell metacharacters (such as backticks, semicolons, or subshell syntax like$()), an attacker who can influence the content of the research session files could achieve arbitrary command execution when the agent runs this initialization step.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted research findings fromstate.jsonand passes them directly to a sub-agent (report-synthesizer) for synthesis without adequate security controls.\n - Ingestion points: Findings and data points are read from the
state.jsonfile located in the{reports_dir}.\n - Boundary markers: The sub-agent prompt lacks any delimiters or specific instructions to treat the findings as untrusted data or to ignore any embedded instructions within that data.\n
- Capability inventory: The sub-agent has access to tools such as
Bash,Write, andSendMessage, which could be abused if the agent is manipulated by malicious findings content.\n - Sanitization: While the skill attempts basic sanitization of its initial arguments (truncation and stripping of backticks), it performs no validation or sanitization on the research data ingested from the file system.
Recommendations
- AI detected serious security threats
Audit Metadata