fizzy
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is entirely built around interfacing with the Fizzy service using the
fizzycommand-line utility. It instructs the agent to perform complex operations, including file uploads and system configuration, and suggests usingjqfor output processing. - [PROMPT_INJECTION]: The skill uses specific invariants to constrain agent behavior, such as a requirement to display a welcome message for new users when a specific API flag is returned.
- [PROMPT_INJECTION]: The 'Breadcrumbs' feature introduces a potential surface for indirect prompt injection. The skill is directed to execute 'ready-to-run' commands provided in the
cmdfield of JSON responses from the remote API. \n - Ingestion points: JSON data received from the Fizzy API (e.g., via
card showorcomment list). \n - Boundary markers: No boundary markers or 'ignore' instructions are specified to protect against malicious commands embedded in the API response. \n
- Capability inventory: The agent can execute any
fizzyCLI command, create and modify temporary files in/tmp, and pipe data to shell utilities. \n - Sanitization: There is no requirement for the agent to sanitize or validate the command strings received from the remote service before execution.
Audit Metadata