atmos-custom-commands
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to define and execute arbitrary shell commands through the
stepsattribute in theatmos.yamlconfiguration. Examples demonstrate the execution of system tools such asterraform,ansible-playbook,aws eks, andtflint. - [EXTERNAL_DOWNLOADS]: The
dependenciessection enables the automatic download and installation of CLI tools from a toolchain registry. While this is a core feature of the vendor's tool, it represents a mechanism for fetching and executing external binaries. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it uses Go templates to interpolate user-provided arguments and flags directly into shell commands. An attacker providing a malicious value for an argument could potentially execute unauthorized shell commands.
- Ingestion points: Positional arguments (
{{ .Arguments.<name> }}), named flags ({{ .Flags.<name> }}), and trailing arguments ({{ .TrailingArgs }}) are the primary entry points for external data as described inSKILL.mdandreferences/command-syntax.md. - Boundary markers: The skill does not implement any boundary markers or instructions to the agent to ignore potentially malicious content within these variables.
- Capability inventory: The skill possesses the capability to execute sequences of shell commands, set environment variables, and change the working directory (including using
!repo-root). - Sanitization: No sanitization, escaping logic, or input validation is described or required by the command schema when processing template variables for shell execution.
Audit Metadata