microsim-utils
Fail
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/create-microsim-todo-json-files.pyis vulnerable to path traversal. It extracts asim-idfrom chapter documentation and uses it to construct a file path for writing without sanitizing path characters (e.g.,../), which allows for arbitrary file writes on the host system. - [DATA_EXFILTRATION]: The screenshot capture utility described in
references/screen-capture.mduses Chrome with--disable-web-securityand--allow-file-access-from-filesflags. If an agent is instructed to capture a screenshot of a malicious MicroSim, the visualization code could read sensitive local files and exfiltrate them due to the disabled security sandbox. - [PROMPT_INJECTION]: The skill relies on parsing project documentation to drive its logic, creating a surface for indirect prompt injection (Category 8).
- Ingestion points: Documentation files in
docs/chapters/*/index.mdare scanned for metadata and simulation specifications. - Boundary markers: None identified in the parsing scripts.
- Capability inventory: File system writes (JSON output) and execution of utility scripts based on extracted content.
- Sanitization: Uses
json.dumpfor the final output format but fails to validate or sanitize the logic-driving fields likesim_idagainst path traversal.
Recommendations
- AI detected serious security threats
Audit Metadata