exe-dev
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill provides a set of instructions for the agent to manage remote infrastructure (creating, listing, and sharing VMs) by executing SSH commands. This grants the agent direct administrative control over a remote hosting environment.
- PROMPT_INJECTION (MEDIUM): A significant Category 8 (Indirect Prompt Injection) surface is documented for the 'Shelley' coding agent integrated into the service. Ingestion points: The agent specifically reads
~/.config/shelley/AGENTS.mdand project-levelAGENTS.mdfiles. Boundary markers: None are specified in the reference documentation to prevent the agent from obeying instructions embedded within these data files. Capability inventory: As a 'coding agent', Shelley likely has file-write and command-execution permissions on the VM. Sanitization: No validation or sanitization of the input file content is mentioned. This allows an attacker to hijack the agent's behavior by placing malicious prompts in a repository'sAGENTS.mdfile.
Audit Metadata