rust-learner
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from community-controlled sources like crates.io and lib.rs and processes it without sanitization.
- Ingestion points: External content from crates.io, lib.rs, docs.rs, and local files at
../../agents/*.md. - Boundary markers: Absent. The skill lacks instructions to ignore malicious directives embedded in external text.
- Capability inventory: Access to
Bash(viaagent-browserCLI),Task(subagent execution), andRead/Globfilesystem tools. - Sanitization: None specified; the skill directly parses and formats external text, which could contain instructions to hijack the agent.
- COMMAND_EXECUTION (HIGH): The skill executes shell commands via
Bashto run theagent-browserCLI. The URLs and selectors are dynamically constructed using external data (crate names, actionbook results). Without explicit sanitization, this presents a risk of command injection if an attacker can influence the crate metadata or the actionbook response. - DATA_EXFILTRATION (MEDIUM): The skill uses relative path traversal (
../../agents/) to read files outside its own directory. While intended for 'Agent Mode', this capability could be exploited to read sensitive files if the path logic is manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata