configure
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
list-components.shperforms unsanitized string interpolation of the workspace path into a JSON structure. This creates a vulnerability where a specifically crafted directory name containing double quotes could inject additional keys or corrupt the JSON payload passed to the internalstatusline.shscript. - [DATA_EXFILTRATION]: The
list-components.shscript executes thepwdcommand, which reveals the absolute path of the agent's current working directory. This information exposure provides details about the host filesystem structure. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates external data from the filesystem and script outputs directly into its operational flow.
- Ingestion points: Component data retrieved from the
list-components.shscript and existing settings read fromstatusline.jsonfiles as described inSKILL.md(Steps 1 and 5). - Boundary markers: None identified. The skill does not employ delimiters or specific instructions to the model to treat the retrieved component names as untrusted content.
- Capability inventory: The skill is granted
Bash,Read, andWritepermissions, which could be leveraged if malicious content is injected via component names to modify global or project configurations. - Sanitization: None. The skill lacks validation or escaping for data processed during the discovery and reading phases before using it in configuration logic or displaying it to the user.
Audit Metadata