managing-imports
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs extensive system-level operations using bash commands such as
find,mv,mkdir, andshasum. It also executes Python modules and generates shell scripts (import-plan-*.sh) for execution. - [COMMAND_EXECUTION]: A critical vulnerability exists in the 'Track Status' operation where a shell variable containing a filename (
$file) is interpolated directly into a Python code string:detect_term('$file'). This allows for arbitrary Python code execution if a file in the staging directory is named maliciously (e.g., using single quotes to break out of the string context). - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes files from an untrusted source (
imports/inbox). - Ingestion points: The skill reads filenames and contents from the
imports/inboxdirectory to classify types and detect academic terms. - Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the logic.
- Capability inventory: The skill possesses capabilities to move files, execute Python code, and perform database queries.
- Sanitization: There is no evidence of sanitization for filenames or file contents before they are used in command-line arguments or Python script generation.
- [CREDENTIALS_UNSAFE]: The skill explicitly loads and reads a
.envfile to retrieve sensitive database credentials, includingDB_HOST,DB_NAME,DB_USER, andDB_PASSWORDfor use in database connections. - [DATA_EXFILTRATION]: The skill reveals sensitive system information by using absolute local paths (
/Users/anthonybyrnes/...), which discloses the host's username and internal project directory structure.
Recommendations
- AI detected serious security threats
Audit Metadata