NYC

Capability Graph Builder

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The script build-graph.sh contains a critical command injection vulnerability. It interpolates the $MANIFEST_JSON variable (derived from user-controlled manifest.yaml files) directly into a double-quoted string passed to python3 -c (lines 48-55). Since the variable is expanded by the shell within double quotes, an attacker can execute arbitrary commands by including shell metacharacters like backticks or $(...) inside a manifest file.
  • PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection. It ingests content from all manifest.yaml files in a directory and interpolates them directly into a prompt sent to Codex (line 67).
  • Ingestion points: Multiple manifest.yaml files found within the user-specified manifest_dir.
  • Boundary markers: The script uses simple text labels (e.g., MANIFESTS:) and instructional constraints (e.g., Output ONLY valid JSON), which can be bypassed by malicious content in the manifests.
  • Capability inventory: The skill can execute the codex tool (network/API access), read arbitrary files via find, and write the resulting graph to a user-defined output_path.
  • Sanitization: No sanitization or escaping is performed on the manifest content before it is placed in the prompt.
  • DATA_EXFILTRATION (LOW): The skill requires an OPENAI_API_KEY and sends the entire content of found manifests to the Codex service. While this is the intended functionality, it could result in the exposure of sensitive metadata if the directory scan includes unintended files.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:36 PM