scrape-codegen-generate

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It reads external data from multiple extraction analysis files and synthesizes them into executable Python code without sanitization or boundary markers.\n
  • Ingestion points: Stage 1 analysis files in {work_path}/codegen-analyze/ and schema definitions in {spec_path}.\n
  • Boundary markers: Absent. The prompt instructions do not provide delimiters or warnings to ignore embedded instructions within the input JSON files.\n
  • Capability inventory: The skill uses Read and Write tools and has access to Bash.\n
  • Sanitization: Absent. There is no validation or escaping of the content extracted from JSON files before it is interpolated into the generated Python module.\n- [COMMAND_EXECUTION]: The skill generates Python code and writes it to an output_path derived from the $ARGUMENTS string. The absence of path validation or sandboxing allows for a path traversal attack, where a user could specify sensitive locations such as shell profile directories (~/.bashrc) or cron jobs to achieve persistence or arbitrary command execution.\n- [DATA_EXFILTRATION]: The skill uses positional arguments from $ARGUMENTS to perform file read operations via the Read tool. Without validation, this presents a directory traversal surface, potentially allowing the agent to be tricked into reading sensitive local configuration files (e.g., credentials or environment variables) by providing manipulated path strings.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:33 PM
Security Audit — agent-trust-hub — scrape-codegen-generate