Skills
skills/andurilcode/craftwork/llms-txt-generator/Gen Agent Trust Hub

llms-txt-generator

Fail

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (git clone, find) using variables derived directly from user input without sanitization. Specifically, the command git clone --depth 1 --filter=blob:none --sparse https://github.com/{org}/{repo}.git /tmp/llms-gen-{repo} allows for command injection if a user provides an {org} or {repo} value containing shell metacharacters (e.g., ;, &, |).- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It ingests untrusted data from external repositories or local documentation files and processes this content to generate summaries.
  • Ingestion points: Reads .md, .mdx, .rst, and .txt files from remote GitHub repositories or local project directories in Phase 1 and Phase 3.
  • Boundary markers: The instructions do not define clear delimiters or system-level warnings to the LLM to ignore instructions found within the source documentation.
  • Capability inventory: The skill uses git clone for network access, find for file system discovery, and saves output to /home/claude/ or /mnt/user-data/outputs/.
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the content read from external source files before it is processed by the LLM.- [REMOTE_CODE_EXECUTION]: By combining the command injection vulnerability in the git clone logic with the ability to target any URL, an attacker could potentially execute arbitrary commands on the system hosting the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 03:01 PM