Skills
NYC
skills/boshu2/agentops/reverse-engineer-rpi/Gen Agent Trust Hub

reverse-engineer-rpi

Warn

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [Category 2] DATA_EXFILTRATION (MEDIUM): The scripts/fetch_url.py utility supports the file:// URI scheme. If an attacker provides a malicious --docs-sitemap-url, they could potentially trick the agent into reading and exfiltrating sensitive local files (e.g., SSH keys, configuration files) from the environment where the agent is running.
  • [Category 4] COMMAND_EXECUTION (MEDIUM): The scripts/binary/extract_embedded_archives.py script uses zipfile.extractall() to unpack archives found inside binaries. This is vulnerable to a 'ZipSlip' path traversal attack if a malicious binary contains a ZIP file with filenames like ../../evil.sh, allowing an attacker to write files outside of the intended output directory.
  • [Category 8] INDIRECT PROMPT INJECTION (LOW): The skill ingests untrusted data from binaries (strings and symbols) and remote sitemaps. This data is incorporated into markdown reports that the agent is instructed to process. A malicious binary could contain strings designed to manipulate the agent's logic during the reporting phase.
  • Ingestion points: scripts/fetch_url.py (remote/local URLs), scripts/binary/analyze_binary.sh (strings/disassembly from binaries), scripts/binary/extract_embedded_archives.py (filenames from embedded ZIPs).
  • Boundary markers: SKILL.md contains high-level instructions to separate 'docs say' from 'code proves', but there are no technical delimiters (e.g., XML tags or special markers) around untrusted content in the generated reports.
  • Capability inventory: The skill can execute system utilities (strings, otool, objdump, syft), read local files, and write to the filesystem.
  • Sanitization: Some output (like strings) is truncated or filtered by regex, but filenames and sitemap paths are used directly without sanitization.
  • [Category 10] DYNAMIC EXECUTION (LOW): Several shell scripts (analyze_binary.sh, extract_docs_features.sh, extract_sitemap_paths.sh) use python3 - to execute inline Python code. While the code is static within the scripts, this pattern is often used for more complex dynamic execution vectors.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 19, 2026, 08:55 PM