nl2ledger
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): In
SKILL.mdStep 5, the instructions direct the agent to execute a shell command:python3 scripts/append_entry.py ... --note "用户原始输入". Because the user's natural language input is interpolated directly into a shell command inside double quotes, an attacker can use shell metacharacters (e.g.,"; touch /tmp/pwned; ") to break out of the string and execute unauthorized code on the host machine. - PROMPT_INJECTION (HIGH): This skill has a significant Indirect Prompt Injection surface (Category 8). Ingestion points: Natural language expense descriptions in
SKILL.mdStep 2. Boundary markers: None (the input is placed directly into the shell string). Capability inventory: Write access to the local filesystem and execution of Python scripts. Sanitization: None (the instructions mention CSV escaping but do not address shell injection or command sanitization). This combination of untrusted input and shell execution without sanitization creates a high-risk vulnerability.
Recommendations
- AI detected serious security threats
Audit Metadata