plugin-search-and-use
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a 'Loader' pattern where it searches for and adopts instructions from local SKILL.md files. It explicitly directs the agent to 'inject' these instructions into the current session, which facilitates indirect prompt injection from potentially malicious plugin files.
- Ingestion points: Reads content from SKILL.md, plugin.json, GEMINI.md, hooks.json, and settings.json located in plugin subdirectories.
- Boundary markers: None present; the skill instructs the agent to 'strictly follow' and 'read carefully' the external content.
- Capability inventory: Capability to read local files, simulate roles, and execute shell commands suggested by the plugin config.
- Sanitization: None; the skill lacks validation mechanisms to verify the integrity or safety of the external plugin content before execution.
- [COMMAND_EXECUTION]: The environment compatibility section instructs the agent to manually execute 'hooks' defined in hooks.json, such as 'npm run lint'. This provides a vector for configuration files to dictate arbitrary command execution in the user environment.
Audit Metadata