dev
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill enables direct access to the Bash shell via the allowed-tools configuration, permitting the execution of any system command. Evidence: usage of
bash -cin provided examples. - [REMOTE_CODE_EXECUTION]: The skill explicitly facilitates the execution of arbitrary code strings for Node.js, TypeScript, and Python. Evidence: examples using
bun -e,node, andpython -cto run dynamic code. - [DATA_EXFILTRATION]: The skill provides the ability to read arbitrary files and list directory contents on the local system. Evidence: examples using
fs.readdirSync,fs.readFileSync, andcatallow exposure of sensitive configuration files. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes data from external files without isolation or sanitization.
- Ingestion points: The skill reads file contents through shell commands (
cat) and runtime-specific file system APIs as demonstrated in the SKILL.md examples. - Boundary markers: Absent. There are no instructions to the agent to treat external file content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill allows full shell access, file read/write operations, and arbitrary code execution.
- Sanitization: Absent. No filtering or validation mechanisms are implemented for content retrieved from the file system.
Audit Metadata