share-docs
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow executes shell commands (e.g., cp -r, git add, git commit) using variables ${username}, ${NNNN}, and ${slug}. These variables are extracted from user-provided directory paths without sanitization. An attacker can provide a path containing shell metacharacters like semicolon, backticks, or dollar-parenthesis to run arbitrary system commands under the agent's privileges.
- [DATA_EXFILTRATION]: Combined with the command injection vulnerability, an attacker can execute commands to read sensitive files (such as SSH keys or environment variables) and transmit them to external servers via network tools like curl or wget.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection.
- Ingestion points: Markdown files within the thoughts directory are read and processed to update frontmatter.
- Boundary markers: None identified; the agent processes file content directly.
- Capability inventory: Includes git push, git commit, and directory copying.
- Sanitization: No evidence of input validation or content sanitization before processing markdown files.
Recommendations
- AI detected serious security threats
Audit Metadata