worker-model-switch
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill script executes standard system utilities including
jq,mc, andcurlto manipulate JSON files, manage remote storage, and send API requests (update-worker-model.sh). - [CREDENTIALS_UNSAFE]: The script sources sensitive configuration files at
/data/hiclaw-secrets.envand/opt/hiclaw/scripts/lib/hiclaw-env.shto retrieve authentication tokens for internal services. These actions are performed within the scope of intended system administration (update-worker-model.sh). - [DATA_EXFILTRATION]: The skill performs network operations to platform-specific servers (AI Gateway and Matrix) using credentials sourced from the environment. These requests are part of the core functionality to verify model status and notify worker containers (update-worker-model.sh).
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing worker names and model IDs provided by the user and interpolating them into shell commands and JSON structures.
- Ingestion points: CLI arguments
--worker,--model, and--context-windowinupdate-worker-model.sh. - Boundary markers: No explicit delimiters are used to wrap user-provided input in the command execution flow.
- Capability inventory: Authenticated network access (
curl), remote storage modification (mc), and local configuration patching (jq) as seen inupdate-worker-model.sh. - Sanitization: The script performs minimal cleaning by stripping model prefixes but does not validate the format or contents of the worker name or model ID before use in command strings.
Audit Metadata