devops
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection (Category 8) due to high-privilege capabilities combined with external data ingestion.
- Ingestion points: Dockerfiles and cloud deployment configurations referenced throughout
SKILL.md. - Boundary markers: None. There are no delimiters to isolate agent instructions from untrusted infrastructure code.
- Capability inventory: Broad command execution access via
gcloud,wrangler, anddockerfor modifying production environments. - Sanitization: None. Data from external configurations is used directly in shell commands.
- Ingestion points: Dockerfiles and cloud deployment configurations referenced throughout
- REMOTE_CODE_EXECUTION (LOW): Uses
curl | bashfor software installation.- Evidence:
curl https://sdk.cloud.google.com | bashinSKILL.md. - Note: Downgraded to LOW as the source (google.com) is a Trusted External Source.
- Evidence:
- EXTERNAL_DOWNLOADS (LOW): Performs global installation of the
wranglerCLI.- Evidence:
npm install -g wranglerinSKILL.md. - Note: Downgraded to LOW as it uses the trusted npmjs.com registry.
- Evidence:
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://sdk.cloud.google.com - DO NOT USE
- AI detected serious security threats
Audit Metadata