Capability Graph Builder
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The script
build-graph.shcontains a critical command injection vulnerability. It interpolates the$MANIFEST_JSONvariable (derived from user-controlledmanifest.yamlfiles) directly into a double-quoted string passed topython3 -c(lines 48-55). Since the variable is expanded by the shell within double quotes, an attacker can execute arbitrary commands by including shell metacharacters like backticks or$(...)inside a manifest file. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection. It ingests content from all
manifest.yamlfiles in a directory and interpolates them directly into a prompt sent to Codex (line 67). - Ingestion points: Multiple
manifest.yamlfiles found within the user-specifiedmanifest_dir. - Boundary markers: The script uses simple text labels (e.g.,
MANIFESTS:) and instructional constraints (e.g.,Output ONLY valid JSON), which can be bypassed by malicious content in the manifests. - Capability inventory: The skill can execute the
codextool (network/API access), read arbitrary files viafind, and write the resulting graph to a user-definedoutput_path. - Sanitization: No sanitization or escaping is performed on the manifest content before it is placed in the prompt.
- DATA_EXFILTRATION (LOW): The skill requires an
OPENAI_API_KEYand sends the entire content of found manifests to the Codex service. While this is the intended functionality, it could result in the exposure of sensitive metadata if the directory scan includes unintended files.
Recommendations
- AI detected serious security threats
Audit Metadata