ac-session-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection via the
{spec}ingestion point in the Initializer Prompt. - Ingestion points: The
specvariable inSKILL.md(Initializer Prompt) and the project files/features in the Continuation Prompt. - Boundary markers: Absent. The user-provided specification is directly interpolated into the system-level instructions.
- Capability inventory: Includes
Bash,Write,Edit,Read,Glob, andGreptools. - Sanitization: None. There is no evidence of validation for the specification or the generated files.
- [Command Execution] (HIGH): The skill explicitly generates and likely executes an
init.shscript based on the AI's interpretation of the untrusted{spec}input. This allows for arbitrary code execution if the AI is manipulated via the specification to include malicious commands in the scaffolded files. - [Data Exposure & Exfiltration] (MEDIUM): The
SessionConfiggrants the agent access to all files within the current directory (./**) using powerful tools likeGrep,Read, andBash. While no explicit exfiltration endpoint is defined, the presence of theBashtool enables the agent to send sensitive project data to external servers if prompted to do so. - [Privilege Escalation] (LOW): While
sandbox_enabledis set toTrueby default, the skill itself manages the configuration, and a prompt injection could theoretically attempt to disable this or use theBashtool to probe for environment weaknesses.
Recommendations
- AI detected serious security threats
Audit Metadata