Skills
skills/elastic/agent-skills/elasticsearch-file-ingest/Gen Agent Trust Hub

elasticsearch-file-ingest

Fail

Audited by Gen Agent Trust Hub on Apr 4, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's setup instructions in SKILL.md include a command to download and execute a script from https://elastic.co/start-local. This is used to provision a local Elasticsearch environment using official vendor infrastructure.
  • [COMMAND_EXECUTION]: The scripts/ingest.js tool implements a custom transformation feature that dynamically loads and executes JavaScript files from the local file system. It uses import() and require() to load paths specified via the --transform command-line argument, allowing for the execution of user-provided logic during data processing.
  • [DATA_EXFILTRATION]: The skill manages sensitive Elasticsearch authentication data, such as API keys and passwords. These credentials are accepted via environment variables or plaintext command-line flags to authenticate the tool with target Elasticsearch clusters.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data from external sources like CSV, JSON, and Parquet files.
  • Ingestion points: scripts/ingest.js (via --file or --stdin flags).
  • Boundary markers: None identified; external data is processed directly.
  • Capability inventory: scripts/ingest.js performs network operations to Elasticsearch clusters and reads local files.
  • Sanitization: No explicit sanitization or instruction-filtering is performed on the ingested content before it is transformed and indexed.
Recommendations
  • HIGH: Downloads and executes remote code from: https://elastic.co/start-local - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 4, 2026, 01:37 PM