Skills
NYC
skills/daffy0208/ai-dev-standards/System Diagnostician/Gen Agent Trust Hub

System Diagnostician

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The diagnose.sh script is vulnerable to shell command injection due to unsafe variable interpolation.
  • Evidence: The script reads package.json into a variable and interpolates it directly into a double-quoted string passed to codex exec. Since the content of package.json is untrusted and can contain double-quote characters, an attacker can craft a file (e.g., "; touch /tmp/pwned; #") that breaks out of the shell string and executes arbitrary commands on the host.
  • PROMPT_INJECTION (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted project data.
  • Ingestion points: diagnose.sh ingests raw file content from package.json and file paths from the project directory via find.
  • Boundary markers: Absent. The content is directly embedded into the AI prompt without any delimiters or instructions to treat it as data only.
  • Capability inventory: The script can read any file in the project, write to /tmp, and execute shell commands.
  • Sanitization: None. The script performs no validation or escaping of the file content before sending it to the AI model.
  • DATA_EXFILTRATION (LOW): The skill transmits repository metadata and file contents to an external AI provider via the codex tool. While documented in the manifest's side effects, this constitutes egress of potentially sensitive codebase information.
  • Metadata Poisoning (MEDIUM): The manifest.yaml claims a risk_level of safe, which is misleading given the critical shell injection vulnerabilities present in the implementation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:30 PM