visual-audit
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions include executing shell commands such as 'quarto render Quarto/$ARGUMENTS'. Because the $ARGUMENTS variable is used directly without sanitization, an attacker could provide a filename containing shell metacharacters to execute unauthorized commands on the host system.
- [REMOTE_CODE_EXECUTION]: The skill processes document types that are known to support code execution during compilation or rendering. Quarto files can execute embedded Python or R code, and LaTeX files can execute system commands. This allows a malicious document provided for auditing to achieve code execution with the permissions of the agent.
- [PROMPT_INJECTION]: The skill is designed to audit user-provided document content, which introduces a risk of indirect prompt injection where malicious instructions inside the document could manipulate the agent's behavior.
- Ingestion points: Content from files specified by the $ARGUMENTS parameter.
- Boundary markers: None. The skill does not use delimiters or provide instructions to ignore embedded content during the audit.
- Capability inventory: The agent has permissions for file system access (Read, Write, Glob, Grep), task execution, and command line tools.
- Sanitization: No sanitization of the document content is performed prior to the audit process.
Audit Metadata