offload2
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONNO_CODEPROMPT_INJECTION
Full Analysis
- [NO_CODE] (HIGH): The core logic resides in
scripts/offload.sh, which is not provided. This prevents verification of the script's safety and is a major security gap. - [COMMAND_EXECUTION] (HIGH): The skill executes a local shell script with arbitrary input. Without the source, it is impossible to determine if the script properly sanitizes input to prevent shell metacharacter injection.
- [PROMPT_INJECTION] (HIGH): Category 8 Evidence: (1) Ingestion: Arbitrary text via stdin. (2) Boundary markers: None. (3) Capability: Local file write/append. (4) Sanitization: Unknown. The ingestion of untrusted reasoning state into the filesystem creates a significant indirect prompt injection surface.
- [COMMAND_EXECUTION] (MEDIUM): The
OFFLOAD2_FILEvariable allows writing to arbitrary host paths. An attacker could potentially overwrite sensitive configuration files or achieve persistence by targeting shell profiles.
Recommendations
- AI detected serious security threats
Audit Metadata