deepscan-record
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The shell command template defined in
SKILL.md—python scripts/record.py add-text "{用户文本内容}"—is highly vulnerable to command injection. Because user-supplied text is interpolated directly into the shell command without sanitization or escaping, an attacker can use characters like;,&, or backticks to execute arbitrary system commands on the host environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when processing images. Content decoded from QR codes is returned to the agent and displayed to the user without filtering. This allows a malicious QR code to deliver instructions that could manipulate the agent's behavior.
- Ingestion points: QR/barcode decoding in
scripts/record.pyvia thezxingcpplibrary. - Boundary markers: None. The decoded result is directly interpolated into the agent's response.
- Capability inventory: The agent can execute shell commands and perform network requests to external APIs.
- Sanitization: No validation or escaping is applied to the decoded string before it is passed to the agent.
- [CREDENTIALS_UNSAFE]: The script reads a sensitive authentication token from
~/.deepscan/token. While this path appears to be the standard location for the vendor's DeepScan service credentials, accessing local token files is a sensitive operation that should be monitored.
Recommendations
- AI detected serious security threats
Audit Metadata