swain-search
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/evidencewatch.shis vulnerable to code injection. It reads configuration values from the local file.agents/evidencewatch.vars.jsonand interpolates them directly into a Python heredoc without proper sanitization. A malicious configuration file containing Python escape sequences could execute arbitrary code when the script is invoked. - [REMOTE_CODE_EXECUTION]: The skill utilizes
uv run --with pyyamlto execute Python-based monitoring logic. This involves fetching and installing thepyyamlpackage from the official Python Package Index (PyPI) at runtime. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it is designed to fetch and process content from external web URLs, media transcripts, and local documents. (1) Ingestion points: Data is ingested from arbitrary web URLs, media transcripts, and local documents during the source collection phase; (2) Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands used when storing the normalized markdown; (3) Capability inventory: The skill possesses powerful capabilities including
Bashexecution,WebFetch, and file system modification tools; (4) Sanitization: Normalization logic focuses on stripping HTML boilerplate (ads, nav) but does not validate or sanitize the textual content for malicious prompt instructions.
Recommendations
- AI detected serious security threats
Audit Metadata