NYC

Skill Validator

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: CRITICALCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION] (CRITICAL): The script validate.sh reads the content of untrusted files into variables ($MANIFEST and $IMPLEMENTATION) and interpolates them into a double-quoted string passed to the shell. This results in direct command injection if a file contains shell metacharacters like $(command) or `command`.
  • [PROMPT_INJECTION] (HIGH): The skill is a primary target for indirect prompt injection (Category 8). It ingests untrusted code and manifest data and interpolates them directly into a prompt for Codex without any boundary markers, delimiters, or sanitization. An attacker can use this to manipulate validation scores or suppress issue reporting.
  • [COMMAND_EXECUTION] (HIGH): Python one-liners in validate.sh use shell variable expansion (e.g., open('$MANIFEST_PATH')) inside the Python code string. A malicious path containing single quotes and Python commands (e.g., path';import os;os.system('ls');') will execute arbitrary Python code.
  • [DATA_EXFILTRATION] (MEDIUM): The resource_path and manifest_path inputs are used to read files from the filesystem without validation. This allows an attacker to read sensitive files (e.g., ~/.ssh/id_rsa) by providing them as paths, which are then leaked to the LLM via the prompt.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 15, 2026, 10:48 PM