datadog-observability
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructs the agent to execute shell commands using string interpolation of user-provided values for queries, service names, and environments. This creates a direct command injection surface where an attacker can use shell metacharacters (e.g.,
;,&,|) to execute arbitrary commands on the system. The use of shell-based command substitution like$(date ...)further increases this risk. - PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection.
- Ingestion points: The skill retrieves application logs and APM data via
pup logs searchandpup logs aggregate. - Boundary markers: No boundary markers or delimiters are provided to separate the command output from the agent's instructions.
- Capability inventory: The agent has the capability to execute shell commands, pipe output to utilities like
jq, and perform network requests to Datadog. - Sanitization: There is no evidence of sanitization for the log content being processed. An attacker could inject instructions into log messages (e.g., via malicious HTTP headers) that the agent might obey while 'investigating' production errors.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation requires the installation of the
pupCLI fromdatadog/pack/pupvia Homebrew. While Datadog is a well-known service, this repository is not on the [TRUST-SCOPE-RULE] whitelist of trusted GitHub organizations, making the dependency unverifiable for high-security environments. - REMOTE_CODE_EXECUTION (HIGH): Successful command injection via the shell-templated commands would result in full Remote Code Execution (RCE) on the environment where the agent is running.
Recommendations
- AI detected serious security threats
Audit Metadata