validate-skill
Fail
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is susceptible to command injection because it interpolates the
$ARGUMENTSvariable directly into a shell command (python3 "$SCRIPT" $ARGUMENTS) without quotes or validation. This allows for arbitrary command execution on the host system if the user-provided input contains shell metacharacters such as semicolons, ampersands, or pipes. - [COMMAND_EXECUTION]: The skill uses directory traversal (
../) to access and execute a script (quick_validate.py) located outside of the skill's root directory, which can be used to execute unauthorized files.
Recommendations
- AI detected serious security threats
Audit Metadata