senior-devops
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and analyze untrusted external project files. Evidence 1 (Ingestion): The 'target_path' parameter in 'scripts/pipeline_generator.py', 'scripts/terraform_scaffolder.py', and 'scripts/deployment_manager.py' allows processing of arbitrary directories. Evidence 2 (Boundaries): No boundary markers or 'ignore' instructions are present. Evidence 3 (Capability): 'SKILL.md' describes high-privilege capabilities including 'docker build', 'kubectl apply', and 'terraform'. Evidence 4 (Sanitization): No sanitization or validation of the ingested file content is performed. This creates a high-severity risk where malicious code in a project directory could take control of the agent's deployment actions.
- External Downloads (MEDIUM): The 'SKILL.md' documentation instructs the agent to run 'npm install' and 'pip install -r requirements.txt', yet the package manifests (package.json and requirements.txt) are not included in the provided skill files. This prevents verification of dependencies and creates an unverifiable dependency chain.
- Command Execution (LOW): The skill documentation explicitly encourages the use of shell commands for building, deploying, and managing infrastructure. While functional, this represents the primary attack surface through which an indirect prompt injection would be executed.
Recommendations
- AI detected serious security threats
Audit Metadata