Skills
skills/b-open-io/bsv-skills/encrypt-decrypt-backup/Gen Agent Trust Hub

encrypt-decrypt-backup

Fail

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The scripts scripts/decrypt.ts and scripts/encrypt.ts use node:child_process.exec to run the bbackup CLI. The command strings are constructed using template literals that interpolate user-provided arguments like inputPath, password, and outputPath. Because these values are not properly sanitized or escaped, an attacker can provide inputs containing shell metacharacters (e.g., ;, &, |) to execute arbitrary commands on the host system.
  • Ingestion points: Command-line arguments in scripts/decrypt.ts and scripts/encrypt.ts.
  • Capability inventory: execAsync subprocess calls in both scripts.
  • Sanitization: No sanitization or escaping of shell metacharacters is performed before interpolation.
  • [CREDENTIALS_UNSAFE]: Both encrypt.ts and decrypt.ts pass the user's password directly as a command-line argument to the bbackup tool (e.g., -p "${password}"). On most operating systems, command-line arguments of running processes are visible to all users via process monitoring tools like ps or top. This exposes sensitive backup passphrases to other users or malicious processes on the same system.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 14, 2026, 04:01 PM