send
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes Bash commands using unvalidated string interpolation of the 'subject' and 'path' arguments. Specifically, the command 'cat > {path}/ctx-{direction}-{subject}.md' allows an attacker to execute arbitrary commands via shell metacharacters (e.g., backticks or $(...)) provided in the subject or path parameters.
- [COMMAND_EXECUTION]: The skill uses the '!' prefix to auto-capture project state by executing system commands like 'date', 'pwd', and 'git' at runtime. While these specific commands are fixed, the mechanism demonstrates the skill's reliance on active shell execution.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it relies on potentially untrusted conversation context to 'infer' variables used in sensitive shell operations.
- Ingestion points: The skill explicitly reads the 'current conversation context' to determine the 'subject' parameter for file creation and naming.
- Boundary markers: There are no delimiters, schema validation, or 'ignore instructions' warnings applied to the inferred subject or the user-provided path.
- Capability inventory: The skill has permission to use the 'Bash' and 'Write' tools, allowing it to create directories and write files anywhere the user has access.
- Sanitization: There is no evidence of sanitization or escaping (such as shell-quoting) for the subject or path variables before they are passed to the Bash tool.
Recommendations
- AI detected serious security threats
Audit Metadata