root-cause-tracing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection. 1. Ingestion points: The agent is directed to read and analyze untrusted error logs, console.error outputs, and test results. 2. Boundary markers: None are provided to help the agent distinguish between legitimate log data and malicious instructions embedded in the logs. 3. Capability inventory: The agent is empowered to execute shell commands (npm test, find-polluter.sh) and modify source files to add instrumentation. 4. Sanitization: No sanitization or validation of the error output is performed. An attacker whose code is being debugged could output malicious instructions to the console to hijack the agent's workflow.
- [COMMAND_EXECUTION] (MEDIUM): The skill's operational flow relies on the agent executing arbitrary shell commands, including 'npm test' and a local script './find-polluter.sh', which gives it high-privilege access to the local development environment.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The documentation references an external script named '@find-polluter.sh' that is not included in the skill's distribution, representing an unverifiable dependency that could contain malicious logic if sourced from an untrusted context.
Recommendations
- AI detected serious security threats
Audit Metadata