tool-design
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill (SKILL.md and references/architectural_reduction.md) promotes an architecture that replaces specialized tools with general-purpose 'primitive' tools, specifically advocating for giving agents a 'bash command execution tool' to run arbitrary commands. While sandboxing is mentioned as a prerequisite, this pattern significantly increases the risk of remote code execution if the sandbox is misconfigured or bypassed.
- [COMMAND_EXECUTION]: The 'File System Agent Pattern' described in the skill encourages providing agents with tools like grep, cat, and find via a raw command execution interface. This design choice facilitates deep system access and potential unauthorized data manipulation by the agent if not strictly constrained.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection in the 'Tool-Testing Agent Pattern' (SKILL.md). 1. Ingestion point: The
failure_examplesvariable is interpolated into a prompt used to refine tool definitions. 2. Boundary markers: No delimiters or 'ignore embedded instructions' warnings are present around the interpolated data. 3. Capability inventory: The skill explicitly recommends giving agents high-impact capabilities like bash execution (execute_command) and SQL access (execute_sql). 4. Sanitization: No escaping, validation, or filtering is performed on the input data before prompt interpolation.
Audit Metadata