compound-docs
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute system commands including grep, mkdir, and cat. It also runs a Python script (init_skill.py) using the [skill-name] provided by the user. There is no explicit sanitization for the [skill-name] input in the Decision Menu (Option 5), which could lead to command injection if a malicious user provides input containing shell metacharacters.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from conversation history to generate 'Critical Patterns' that are intended to guide the behavior of future agent sessions.
- Ingestion points: Conversation history is parsed in Step 2 to extract symptoms, solutions, and root causes.
- Boundary markers: No specific boundary markers or 'ignore instructions' warnings are used when writing the gathered content into documentation or pattern files.
- Capability inventory: The skill can execute bash commands, write to the filesystem, and trigger external scripts.
- Sanitization: While filenames are sanitized to prevent path traversal or shell injection in the file path (Step 4), the actual content of the documentation (code examples, explanations) is not sanitized before being written to files that the agent later treats as authoritative instructions.
Audit Metadata