promql-validator
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow in
SKILL.mdinstructs the agent to execute shell commands using user-provided input:python3 devops-skills-plugin/skills/promql-validator/scripts/validate_syntax.py "<query>". An attacker could provide a malicious query containing shell metacharacters (e.g.,"; touch /tmp/exploited #) to execute arbitrary commands on the host system. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted user data (the PromQL query) without providing the agent with clear instructions for sanitization or escaping.
- Ingestion points: User-supplied PromQL queries are passed to shell commands in
SKILL.md. - Boundary markers: The instructions suggest using double quotes (
"<query>") but do not include explicit sanitization requirements or warnings to ignore embedded instructions. - Capability inventory: The agent has the capability to execute shell commands (
python3,git) and read/write files in the local repository. - Sanitization: There is no evidence of input validation or escaping logic in the instructions or the supporting Python scripts.
- [COMMAND_EXECUTION]: The skill requires the agent to establish its working directory by running
git rev-parse --show-toplevel. While common for development tools, this involves automated shell execution in the local environment.
Audit Metadata