get-weather-forecast
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches weather data from the well-known 'wttr.in' service using curl.
- [COMMAND_EXECUTION]: Executes a bundled shell script (scripts/run.sh) and describes a procedure for running curl commands to retrieve weather updates.
- [PROMPT_INJECTION]: Identifies an indirect prompt injection surface through the {{LOCATION}} placeholder in the procedure. (1) Ingestion points: The location parameter extracted from user request. (2) Boundary markers: No delimiters or explicit instructions to ignore embedded commands are present. (3) Capability inventory: The skill utilizes curl execution via a shell environment. (4) Sanitization: There is no evidence of input validation or escaping for the user-provided location string before it is used in the command.
Audit Metadata