read_file
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides unrestricted access to the local filesystem by accepting any user-provided path. This allows for the exposure of highly sensitive files including SSH private keys (
/.ssh/id_rsa), cloud provider credentials (/.aws/credentials), and application secrets (.env files).- [COMMAND_EXECUTION]: The shell scriptread_file_cli.shexecutes the system commandcatusing the provided path parameter. Although the variable is quoted to mitigate direct shell injection, the absence of a whitelist or directory sandbox allows for arbitrary file read operations across the entire filesystem.- [PROMPT_INJECTION]: The skill acts as an ingestion point for untrusted data from the filesystem, which can lead to indirect prompt injection if the files contain instructions that influence the agent's behavior. \n - Ingestion points:
read_file_cli.sh(reads arbitrary file content via cat). \n - Boundary markers: None identified; the file content is returned directly to the agent context. \n
- Capability inventory: The skill provides broad file read access. \n
- Sanitization: No content validation or sanitization is performed on the data retrieved from files.
Recommendations
- AI detected serious security threats
Audit Metadata