athena-package
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill exhibits a surface for indirect prompt injection. It ingests untrusted user content from conversations or uploaded files to create notes, which are then processed by a validation script whose output influences the agent's behavior during a 'fix' cycle.\n
- Ingestion points: User-provided text and uploaded files enter the workflow in Step 1 and are written to the
notes/directory.\n - Boundary markers: No explicit delimiters or instructions are used to warn the agent about ignoring embedded instructions within the user content.\n
- Capability inventory: The skill uses
Bashto run validation and creation scripts, andWriteandReadtools to manage the staging directory.\n - Sanitization: The
validate_athena_package.pyscript performs structural and regex-based validation of the note format but does not sanitize the text content for malicious prompt instructions.\n- [Dynamic Execution] (MEDIUM): Thevalidate_athena_package.pyscript useszipfile.extractall()to extract archives when a file path is provided for validation. This method is vulnerable to Path Traversal (ZipSlip), allowing a malicious archive to overwrite files outside the intended temporary directory. While the skill's primary instructions focus on creating packages from directories, the presence of this vulnerable extraction logic in a provided utility script poses a risk if used on untrusted files.\n- [COMMAND_EXECUTION] (SAFE): The skill uses the Bash tool to execute local Python scripts included in the package. These scripts rely exclusively on the Python standard library for their operations and do not perform unauthorized system commands.
Audit Metadata