tracer-dev
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill parses and runs shell commands directly from the 'steps' array in 'state.json' during the validation phase. This allows for arbitrary command execution on the host system if the state file is maliciously crafted.
- [REMOTE_CODE_EXECUTION] (HIGH): The execution of logic defined in external project-level data files allows for RCE through untrusted repositories, malicious pull requests, or modified project state.
- [DATA_EXFILTRATION] (LOW): Task details and project state are sent to 'openrouter/z-ai/glm-4.7-flash' via a background agent. This involves transmitting potentially sensitive code context to an external LLM provider not listed in the trusted whitelist.
- [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface by ingesting data from 'state.json' and 'PROGRESS.md' without sanitization or boundary markers, which directly influences agent behavior and executed commands.
- [Category 8 Evidence]: 1. Ingestion points: docs/tracers/**/state.json, PROGRESS.md. 2. Boundary markers: Absent. 3. Capability inventory: Bash execution (afplay, git, and custom task steps). 4. Sanitization: None detected.
Recommendations
- AI detected serious security threats
Audit Metadata