compound
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection that persists across agent sessions.
- Ingestion points: The skill reads untrusted data from the conversation history and task files in
./apex/tasks/(Steps 1 and 3). - Boundary markers: No delimiters or sanitization steps are defined to separate user-provided content from instructions.
- Capability inventory: The skill has the capability to modify
AGENTS.md(Step 7), which serves as "always loaded" context for future agent runs. - Sanitization: None. An attacker can inject malicious instructions into the conversation history disguised as a "learning" or "gotcha," which the skill will then extract and write permanently into the global agent configuration.
- COMMAND_EXECUTION (MEDIUM): Risk of shell injection through unsanitized search parameters.
- Evidence: Steps 2 and 7 use
grepinbashblocks with variables like[keywords]and[key phrase from learning]which are extracted from untrusted task content. - Risk: If these extracted strings contain shell metacharacters (e.g., backticks, semicolons, or subshell syntax like
$(...)), the agent may execute arbitrary commands on the host system when attempting to run the duplicate check.
Recommendations
- AI detected serious security threats
Audit Metadata