credentials
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to search for and read centralized credential files at sensitive paths such as
~/.secrets/keys.txt,~/.credentials.txt, and~/Documents/Access.txt. - [CREDENTIALS_UNSAFE]: The skill provides comprehensive regex patterns to harvest authentication tokens for numerous services, including AWS Access Keys, GitHub Tokens, Stripe Secret Keys, and Supabase Service Role Keys.
- [DATA_EXFILTRATION]: Extracted credentials are sent to official validation endpoints for services like OpenAI, Anthropic, and Reddit using
curl. This process involves transmitting sensitive master keys from a local store to external servers. - [COMMAND_EXECUTION]: The skill utilizes shell commands (
curl) to perform network requests andcatto write environment variables, interpolating extracted credentials directly into the execution string. - [PROMPT_INJECTION]: The skill processes untrusted data from local files and incorporates it into agent instructions and shell commands without specific boundary markers or sanitization, creating a surface for indirect prompt injection. Findings for this category involve: (1) Ingestion point:
SKILL.mdviaparse_credentials_file; (2) Boundary markers: Absent; (3) Capability inventory: Subprocess calls viacurl, file-write viacatinSKILL.md; (4) Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata