fetch-rules
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill facilitates Indirect Prompt Injection by automatically loading instructions from workspace files that may be untrusted.
- Ingestion points: Rules are fetched from
.cursor/rules/*.mdc,.cursor/rules/*.md,AGENTS.md, and legacy.cursorrules. - Boundary markers: Documentation does not specify any delimiters or warnings used when injecting these rules into the agent's context.
- Capability inventory: The purpose of the skill is to select rules that are then 'applied' to the agent's logic, giving these files control over the agent's reasoning.
- Sanitization: No sanitization of the markdown or frontmatter content is described.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes a local bash script (
scripts/fetch_rules.sh) using arguments derived from user input (--prompt) and filesystem metadata. - Evidence:
bash scripts/fetch_rules.sh --prompt "<your request>". - Risk: If the unprovided shell script does not properly quote or sanitize the prompt and file path arguments, an attacker could achieve shell command injection.
Recommendations
- AI detected serious security threats
Audit Metadata