human-management
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/manage-humans-registry.shconstructs ajqfilter string by directly interpolating shell variables such as$NAMEand$LEVELin theaction_updatefunction. This pattern is vulnerable tojqinjection, where a crafted input could break out of the intended logic to modify other parts of the JSON registry or cause execution errors. - [CREDENTIALS_UNSAFE]: The script
scripts/create-human.shaccesses a sensitive local secrets file at/data/hiclaw-secrets.envto retrieve administrative tokens and passwords. Additionally, the script outputs the generated password for new human accounts in plain text within the final JSON result, which could lead to accidental credential exposure if the agent's output is logged or shared.
Audit Metadata