m11-ecosystem
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill definition utilizes a shell command (
grep) to extract dependency information from theCargo.tomlfile. Executing shell commands directly from skill instructions poses a risk if the execution environment is not strictly sandboxed. - PROMPT_INJECTION (HIGH): Indirect Prompt Injection vulnerability (Category 8). The skill ingests content from
Cargo.toml, an external file that could be controlled by an attacker (e.g., via a malicious pull request or a compromised project). This content is provided to the agent as context without protective measures. - Ingestion points:
Cargo.toml(read via the!grepshell command). - Boundary markers: Absent; the output of the command is injected directly into the agent's prompt context without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill's stated purpose involves "integrating crates", "FFI integration", and "dependency management", which strongly implies the agent has permissions to modify project files and execute build tools (e.g.,
cargo). - Sanitization: Absent; no escaping or validation is performed on the data read from the file.
Recommendations
- AI detected serious security threats
Audit Metadata