grove-account-deletion
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill directs the agent to execute shell commands using
npx wrangler. It instructs the agent to insert user-provided strings (usernames, emails, IDs) directly into SQL commands (WHERE subdomain = 'USERNAME') and shell parameters. This lack of sanitization allows for SQL injection and command injection if a user provides malicious input. - REMOTE_CODE_EXECUTION (HIGH): In Step 6, the skill uses a shell pipe and loop (
jq -r '.[] .key' | while read key; do ... done) to iterate over and delete R2 objects. If an attacker can control object names in the bucket, they could inject shell metacharacters into the 'key' variable, leading to arbitrary code execution in the agent's shell environment. - DATA_EXFILTRATION (MEDIUM): The 'Identify' and 'Snapshot' steps access and display sensitive PII, including email addresses, tenant IDs, and plan details. This creates a surface for an attacker to harvest user data from the production database.
- EXTERNAL_DOWNLOADS (LOW): The skill relies on
npx wrangler, which may download and execute the latest version of the wrangler package from the npm registry. - INDIRECT_PROMPT_INJECTION (LOW): (Category 8)
- Ingestion points: Reads tenant metadata and object keys from Cloudflare D1/R2 (SKILL.md, Steps 1 & 6).
- Boundary markers: Absent; data is interpolated directly into strings.
- Capability inventory: Database execution and object deletion via
npx wrangler. - Sanitization: None; uses direct string substitution for all commands.
Recommendations
- AI detected serious security threats
Audit Metadata