secrets-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill is specifically designed to provide the agent with access to highly sensitive configuration files.
- Evidence: Explicit instructions and Python code patterns targeting
secrets.jsonand.envfiles which contain private keys and database strings. - Risk: Accessing sensitive file paths is classified as a HIGH severity finding as it exposes high-value credentials directly to the AI's execution context.
- [PROMPT_INJECTION] (HIGH): Extreme risk of Indirect Prompt Injection (Category 8).
- Ingestion points:
secrets.jsonand.envvia the file system (SKILL.md). - Boundary markers: Absent. The skill provides no instructions for the agent to isolate these secrets from untrusted inputs.
- Capability inventory: Includes Python logic to read files and environment variables, typically used alongside other agent capabilities like network access or file writing.
- Sanitization: Absent. Secrets are loaded as raw strings without validation or masking.
- Risk: If the agent subsequently processes untrusted data (e.g., a web search or a file from a third party), an attacker can use indirect injection to force the agent to exfiltrate the secrets it has loaded into its memory.
- [CREDENTIALS_UNSAFE] (LOW): Hardcoded credential patterns in documentation.
- Evidence: The documentation lists specific API key prefixes (e.g.,
sk-ant-api03-...,sk-or-v1-...,AKIA...). - Risk: While these are intended as placeholders, they provide the agent with exact patterns to identify and validate real secrets in the environment, aiding potential malicious behavior.
Recommendations
- AI detected serious security threats
Audit Metadata