pairing
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Privilege Escalation (HIGH): The skill exposes administrative functions that can grant 'owner' status (defined as full admin access) without implementing any permission checks. Specifically, the
/trust <user> ownerand/pairing approve <code>commands inindex.tsexecute their logic regardless of who is calling the function, enabling unauthorized users to elevate their trust levels. - Indirect Prompt Injection (LOW): The skill is highly vulnerable to instructions embedded in user-provided data.
- Ingestion points: The
argsparameter in theexecutefunction inindex.tsaccepts raw strings that are parsed into commands. - Boundary markers: Absent. There are no delimiters or developer instructions to ensure the agent ignores embedded commands within the data it processes.
- Capability inventory: The skill has the capability to modify the underlying database via
svc.setOwner,svc.approveRequest, andsvc.removePairedUser(found inindex.ts). - Sanitization: Absent. Arguments are processed using basic whitespace splitting (
args.trim().split(/\s+/)) with no validation of the identity or authority of the input source.
Recommendations
- AI detected serious security threats
Audit Metadata