gcb-monitor
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the macOS
saycommand for audio notifications. It interpolates external, untrusted data (branch names, trigger names) directly into the shell command string. If these names contain shell metacharacters such as semicolons, backticks, or pipes, it could lead to arbitrary command execution on the user's machine. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external sources.
- Ingestion points: The agent reads raw log output from
gcloud builds logand check details fromgh pr checks. - Boundary markers: No boundary markers or 'ignore' instructions are provided to help the agent distinguish between build logs and system instructions.
- Capability inventory: The agent has significant capabilities including executing
gcloud(GCP infrastructure management),gh(GitHub repository management), and local shell commands (say). - Sanitization: There is no evidence of log sanitization or validation of the PR check data before processing.
Audit Metadata