command-creator
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a shell injection mechanism (using the '!' prefix) that allows for the execution of arbitrary system commands. Examples provided in the templates include 'npm test', 'git log', 'find', and 'gitleaks', which can perform various system-level operations.- [DATA_EXFILTRATION]: The skill enables access to sensitive local data through file reference syntax ('@' prefix) and shell output capture. Templates suggest reading potentially sensitive files such as '.env.example', application logs, and security audit reports.- [PROMPT_INJECTION]: Documentation explicitly details how to override core system commands like '/init', '/help', and '/undo'. This functionality can be exploited to hijack standard agent workflows and redirect them to user-defined malicious prompts.- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection due to the lack of sanitization for injected content.
- Ingestion points: External data enters the agent context through shell outputs ('!') and file reading ('@') as demonstrated in 'assets/command-templates.md'.
- Boundary markers: The templates lack clear delimiters or instructions to prevent the model from following commands embedded within the injected data.
- Capability inventory: The skill facilitates both arbitrary shell execution and direct filesystem access.
- Sanitization: There is no evidence of validation or filtering for the content retrieved from external files or command outputs.
Audit Metadata