perf-audit
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONSAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/full-audit.shis vulnerable to local command injection. It uses shell variable interpolation to pass output from sub-scripts into apython3 -ccommand string using triple quotes. Evidence: The lineimages = json.loads('''$image_result''')infull-audit.shallows a project filename containing'''to break out of the Python string context and execute arbitrary Python code. - [COMMAND_EXECUTION]: The skill relies on local execution of several shell scripts and Unix utilities including
find,stat,gzip, andsips(on macOS). These operations are restricted to the project directory provided by the user but represent a significant execution capability. - [SAFE]: The skill operates entirely locally and does not request or use network access, which prevents remote data exfiltration risks.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from project files and presents it to the agent without boundary markers.
- Ingestion points: Project file paths in
scripts/image-audit.shandscripts/bundle-audit.sh, andpackage.jsoncontent inscripts/dep-audit.sh. - Boundary markers: Absent in script output.
- Capability inventory: Local file system read access and subprocess execution via
bashandpython3. - Sanitization: The skill uses
sedto escape double-quotes for JSON formatting in individual scripts, but fails to safely handle the resulting data interpolation in thefull-audit.shscript.
Audit Metadata