sys-executing-threads
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill ingest s un t r u s t e d 'output s' from upst r e am agent s and persist s them to the filesystem, creating a vulnerability surface for in d i r e ct prompt in j e ction dow n st r e am.\n
- Ingestion point s: The 'output s' dat a st r u ct u re in the calling agent in put (SKIL L.md).\n
- Boun d a r y marker s: Absent; agent con t e n t is written dire ct ly as the file body without delimiter s or escaping.\n
- Capability in ven t o r y: The skill utilize s the 'Write' tool with un r e st r i ct e d file syst e m acces s.\n
- Sanitization: Absent; the skill doe s not perform any filt e ring or validation of the in j e ct e d markdow n con t e n t.\n- [COMMAND_EXECUTION] (HIGH): The skill accep t s a 'thread_path' variable from calling agent s and use s it dire ct ly for file syst e m ope r ation s without validation.\n
- Eviden ce: St e p 1 in the 'Proces s' se ction con firm s the path exist s but lack s path normalization or traversal che ck s, allow in g a com p r omise d agent to use dire ct or y traversal se q uen ce s (e.g., '../../') to write to sen sit ive syst e m dire ct o r ie s.
Recommendations
- AI detected serious security threats
Audit Metadata