Skills
skills/cklxx/elephant.ai/background-tasks/Gen Agent Trust Hub

background-tasks

Fail

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The dispatch function uses subprocess.Popen with shell=True to run strings provided in the command argument. This allows for the execution of any shell command supported by the host system.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted JSON input and possesses high-privilege capabilities.
  • Ingestion points: Input data enters the skill via JSON-encoded strings in sys.argv[1] or sys.stdin, which are parsed into the args dictionary in main().
  • Boundary markers: No delimiters or instructions to ignore embedded instructions are present in the processing logic.
  • Capability inventory: The skill can execute arbitrary shell commands (subprocess.Popen), manage processes (os.kill), and perform filesystem operations (read/write).
  • Sanitization: No sanitization, escaping, or validation is performed on the command, cwd, or task_id inputs before they are used in sensitive operations.
  • [DATA_EXFILTRATION]: The collect action returns the contents of task output files. This mechanism can be used to exfiltrate sensitive data if a malicious command (e.g., cat /etc/passwd) is dispatched first.
  • [COMMAND_EXECUTION]: The collect action is vulnerable to path traversal. It uses the user-supplied task_id to construct file paths for reading (e.g., _BG_DIR / f"{task_id}.json") without sanitizing for directory traversal sequences like ../, potentially allowing access to files ending in .json or .out in other directories.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 1, 2026, 12:35 AM