Skill Validator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (CRITICAL): The script
validate.shreads the content of untrusted files into variables ($MANIFESTand$IMPLEMENTATION) and interpolates them into a double-quoted string passed to the shell. This results in direct command injection if a file contains shell metacharacters like$(command)or`command`. - [PROMPT_INJECTION] (HIGH): The skill is a primary target for indirect prompt injection (Category 8). It ingests untrusted code and manifest data and interpolates them directly into a prompt for Codex without any boundary markers, delimiters, or sanitization. An attacker can use this to manipulate validation scores or suppress issue reporting.
- [COMMAND_EXECUTION] (HIGH): Python one-liners in
validate.shuse shell variable expansion (e.g.,open('$MANIFEST_PATH')) inside the Python code string. A malicious path containing single quotes and Python commands (e.g.,path';import os;os.system('ls');') will execute arbitrary Python code. - [DATA_EXFILTRATION] (MEDIUM): The
resource_pathandmanifest_pathinputs are used to read files from the filesystem without validation. This allows an attacker to read sensitive files (e.g.,~/.ssh/id_rsa) by providing them as paths, which are then leaked to the LLM via the prompt.
Recommendations
- AI detected serious security threats
Audit Metadata