Skills
skills/elliottrjacobs/bench-skills/knowledge-compound/Gen Agent Trust Hub

knowledge-compound

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis

The knowledge-compound skill's primary function is to capture user-provided information and save it to a markdown file. The skill explicitly states that the file should be saved to docs/solutions/YYYY-MM-DD-<slug>.md, where <slug> is derived from user input. The skill also lists Write as an allowed-tool.

Threats Identified:

  1. COMMAND_EXECUTION / DATA_EXFILTRATION (HIGH): The most significant vulnerability lies in the generation of the filename's <slug>. If the AI directly incorporates user-provided text into the slug without strict sanitization (e.g., ensuring it only contains alphanumeric characters and hyphens), a malicious user could craft input that includes path traversal sequences (e.g., ../../../../etc/passwd) or even shell command injection (e.g., $(rm -rf /)). If the Write tool then uses this unsanitized slug in a shell command to create the file, it could lead to:

    • Arbitrary File Write: Writing content to unintended locations on the file system, potentially overwriting critical system files or user data.
    • Command Execution: If the slug is processed by a shell, injected commands could be executed with the agent's permissions.

  2. PROMPT_INJECTION (MEDIUM): The skill uses AskUserQuestion to gather information from the user. As the skill's core purpose is to process and document user input, it is inherently susceptible to indirect prompt injection. A malicious user could craft their input (e.g., for the document's title or content) to attempt to manipulate the AI's subsequent actions, potentially leading it to misuse the Write tool in ways not intended by the skill's developer.

No other direct threats (Obfuscation, Unverifiable Dependencies, Privilege Escalation, Persistence Mechanisms, Metadata Poisoning, Time-Delayed Attacks) were found within the skill's definition files. The references/solution-template.md file is a static template and does not contain any executable code or malicious patterns.

Recommendations:

  • Implement robust sanitization for any user-derived input that is used to construct file paths or shell commands. The AI should strictly validate and filter the <slug> to prevent path traversal characters (/, ..) and command injection syntax ($, (, ), ;, |, &, etc.). It should ideally enforce a strict format (e.g., kebab-case alphanumeric only).
  • When using the Write tool, ensure that the underlying implementation handles file path construction securely, preventing path traversal even if the filename component is partially compromised.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 06:49 PM