reproduce
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates execution of powerful CLI tools including 'docker', 'make', 'just', and 'psql' for system inspection and service interaction.
- [REMOTE_CODE_EXECUTION]: The skill dynamically discovers and executes a shell script ('sanity_check.sh') from paths in the home directory associated with other AI agent skills (~/.codex/skills/ or ~/.claude/skills/).
- [DATA_EXFILTRATION]: The skill accesses high-value data sources for verification, such as database contents via 'psql', application logs via 'docker logs', and emails via 'gog gmail search'.
- [PROMPT_INJECTION]: The skill includes an indirect prompt injection surface by reading and acting on untrusted data from log files, repository contents, and API responses. * Ingestion points: 'docker logs' output, search results from 'rg' on repository files, and responses from 'curl'. * Boundary markers: None used to separate untrusted data from internal instructions. * Capability inventory: Significant local environment control via shell, docker, and database access. * Sanitization: No sanitization or verification of data content is performed before processing.
Audit Metadata