Skills
skills/arman-kudaibergenov/1c-ai-development-kit/subsystem-edit/Gen Agent Trust Hub

subsystem-edit

Warn

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script subsystem-edit.ps1 executes an external validation script using powershell.exe. The path to this validator is computed dynamically relative to the skill's location (..\..\subsystem-validate\scripts\subsystem-validate.ps1), which creates a dependency on the presence and integrity of code outside the skill's own package.
  • [PROMPT_INJECTION]: The skill is vulnerable to XML injection in the Do-AddContent function. The $item value, which originates from user-provided input, is directly interpolated into an XML string fragment (<xr:Item ...>$item</xr:Item>) without escaping or validation. This allows an attacker to inject arbitrary XML tags, comments, or attributes into the target 1C configuration file.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface: 1. Ingestion points: The skill reads and processes 1C subsystem XML files and JSON-formatted operation definitions (DefinitionFile). 2. Boundary markers: No specific boundary markers or instructions are used to separate structure from potentially untrusted content within the processed files. 3. Capability inventory: The skill possesses the ability to read and write to the filesystem and execute sub-processes via PowerShell. 4. Sanitization: Sanitization is applied inconsistently; while synonyms and explanations use SecurityElement::Escape, the content addition logic does not, leaving an exploitable gap for XML injection.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 4, 2026, 10:29 AM