generate-slide
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bash scripts and examples provided in references/slide-generator.md are vulnerable to command injection. The skill interpolates variables like ${prompt} directly into shell commands used for curl requests. Because these variables are populated with content from untrusted local files (e.g., README.md), an attacker could use a specially crafted file to break out of the command and execute malicious code, such as exfiltrating the GOOGLE_AI_API_KEY variable from the environment.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates untrusted data from the workspace into LLM prompts without adequate protection.
- Ingestion points: Reads project information from README.md, package.json, CLAUDE.md, and Plans.md.
- Boundary markers: Absent; data is directly interpolated into prompt templates in references/slide-generator.md.
- Capability inventory: Includes Bash (curl), Read, and Write tools.
- Sanitization: No escaping or validation is performed on the ingested content before use in prompts or shell commands.
- [DATA_EXFILTRATION]: The skill extracts project-specific metadata and transmits it to Google's Generative Language API. This behavior is consistent with the skill's stated purpose of using an external AI service to generate images.
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to a well-known service (Google's Generative Language API) to perform its core function. This is documented and uses standard API patterns.
Recommendations
- AI detected serious security threats
Audit Metadata