consult-zai
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute shell commands (bash, zsh, rm) to interact with the zai CLI tool. It utilizes interactive shell flags (-i), which can introduce non-deterministic behavior by loading local shell profiles and aliases.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted user data.\n
- Ingestion points: The [USER_QUESTION] variable is directly written to a temporary file at $CLAUDE_PROJECT_DIR/tmp/zai-prompt.txt.\n
- Boundary markers: While the prompt uses structured headers, it does not provide clear instructions to the model to ignore potential commands or overrides embedded within the user's question.\n
- Capability inventory: The skill uses file writing, shell command execution, and recursive sub-agent calls.\n
- Sanitization: No sanitization or escaping is performed on the user-provided text before it is saved to disk or passed to the zai command.
Audit Metadata