Skills
skills/build000r/skills/spaps-feedback/Gen Agent Trust Hub

spaps-feedback

Pass

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.check_output to execute SSH and Docker commands for database access. This is the primary function of the tool. Commands are constructed with shlex.quote to mitigate shell injection risks.
  • [DATA_EXFILTRATION]: The skill reads data from a production Postgres database. While it uses read-only queries and a fixed set of columns, this represents access to potentially sensitive user feedback. No unauthorized external transmission was detected, but data is exposed to the AI agent.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted user feedback from the database. This data is used by the agent to rank and invoke sibling skills.
  • Ingestion points: spaps_feedback.db via scripts/fetch_issues.py (specifically the note and component_label fields).
  • Boundary markers: Absent. The agent is instructed via natural language in SKILL.md to confirm matches with the user, but there are no technical delimiters separating the untrusted data.
  • Capability inventory: subprocess.check_output (ssh, docker) in scripts/fetch_issues.py and scripts/match_skills.py, and the ability to trigger sibling skills.
  • Sanitization: SQL components are regex-validated, and shell arguments are quoted. However, the content of the user notes is not sanitized or escaped before being presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 10, 2026, 08:11 PM