markdesk-docs
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the local repository's git history and uses it to drive agent decisions and file creation.
- Ingestion points: The agent executes
git logandgit showin Step 1 to gather context for documentation. - Boundary markers: No delimiters or instructions are provided to the agent to treat git output as untrusted data; the output is directly interpolated into the agent's reasoning process.
- Capability inventory: The skill can execute shell commands (
git,cp) and write new markdown files to the help center project. - Sanitization: There is no sanitization or filtering of commit messages, allowing an attacker who can commit to the repository to influence the agent's behavior.
- [Command Execution] (MEDIUM): The skill uses the shell to execute git commands and file copy operations based on external input.
- Evidence: Step 3 instructs the agent to use
cpwith user-provided image paths. While the prompt suggests quoting paths to handle spaces, it lacks logic to validate the source path. This could allow an attacker to trick the agent into copying sensitive files (e.g.,~/.ssh/id_rsa) into thepublic/directory of the help center, potentially exposing them to the web if the help center is deployed.
Recommendations
- AI detected serious security threats
Audit Metadata