zendesk
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Path Traversal vulnerability in file write operations.\n
- Files:
src/zendesk_skill/operations.py(functiondownload_attachment) andsrc/zendesk_skill/storage.py(functionsave_response).\n - Evidence: Both functions accept a user-provided
output_pathor construct a path using a filename extracted from a URL without adequate sanitization. An attacker could manipulate these paths (e.g., using../../) to create or overwrite sensitive files on the system outside the intended storage directory.\n- [PROMPT_INJECTION]: Susceptibility to Indirect Prompt Injection (Category 8).\n - Ingestion points:
src/zendesk_skill/operations.py(functionsget_ticket_details,search_tickets, anddownload_attachment). The skill ingests untrusted data from ticket comments and search results.\n - Capability inventory: The skill can perform network operations via
httpx, write to the file system, and executejqlogic usingsubprocess.run(src/zendesk_skill/queries.py).\n - Sanitization: The skill implements mitigations by using
prompt-security-utilsto wrap untrusted content and instructions for the agent to ignore instructions within the wrapped blocks.\n - Boundary markers: Present in
src/zendesk_skill/server.pyandsrc/zendesk_skill/operations.py.\n- [EXTERNAL_DOWNLOADS]: Support for an external OAuth relay server.\n - File:
src/zendesk_skill/auth/server.py.\n - Evidence: The skill allows configuration of an external relay server for managing OAuth tokens. While documented as a feature for team deployments, it introduces a risk of credential exfiltration if a user is socially engineered into configuring a malicious server URL.
Audit Metadata