todo-creation
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to shell command injection. In
SKILL.md, user-provided<category>and<title>are interpolated directly into a bash command string. Shell metacharacters in these inputs (e.g.,;,&,|, or backticks) can lead to arbitrary command execution when the agent invokes the script. - [COMMAND_EXECUTION]: The
scripts/create-todo.shscript uses an unquoted heredoc (cat > "$FILEPATH" <<EOF) to write the todo file content. In bash, unquoted heredocs allow for variable expansion and command substitution. If a user-supplied title contains patterns like$(...), the shell will execute the enclosed command during the file-writing process. - [COMMAND_EXECUTION]: The skill is vulnerable to path traversal. The
categoryargument is used to construct the target directory path (TODO_DIR="$TODOS_ROOT/$CATEGORY") without validation or sanitization. An attacker can provide a category containing../sequences to create directories and write files in sensitive locations outside the designated todos folder. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data and uses it to perform high-privilege operations like file system modification and shell execution.
- Ingestion points: User-provided
categoryandtitlearguments extracted from the user's request or viaAskUserQuestion. - Boundary markers: None identified; inputs are passed directly into the shell environment.
- Capability inventory: Execution of bash scripts (
SKILL.md), directory creation viamkdir, and file writing viacat(scripts/create-todo.sh). - Sanitization: No sanitization or escaping is performed on the
categoryinput or on thetitleinput prior to shell interpolation and heredoc expansion.
Audit Metadata