filesystem-context
Fail
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The file 'references/implementation-patterns.md' defines a 'TerminalCapture' class that uses 'subprocess.run(command, shell=True)'. This pattern allows for the execution of arbitrary shell commands. If an agent uses this tool with unvalidated input from a user or an untrusted external tool, it creates a high-risk command injection vulnerability.
- [PROMPT_INJECTION]: The skill documentation in 'SKILL.md' and the implementation in 'references/implementation-patterns.md' promote 'Learning Through Self-Modification'. This pattern involves agents writing their own instructions and preferences to the filesystem. This mechanism can be used by an attacker to persistently inject malicious instructions that the agent will follow in future sessions.
- [DATA_EXFILTRATION]: The 'TerminalCapture' pattern in 'references/implementation-patterns.md' automatically logs the complete output of terminal commands to the 'terminals/' directory. This creates a risk of sensitive data exposure, as API keys, secrets, or system information printed to the terminal are saved in plain text files.
- [PROMPT_INJECTION]: The skill implements a workflow for ingesting and summarizing untrusted tool outputs. 1. Ingestion points: 'scripts/filesystem_context.py' (via 'process_output') and 'references/implementation-patterns.md' (via 'TerminalCapture.run_command'). 2. Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the processed data. 3. Capability inventory: The skill provides full filesystem access and command execution capabilities via reference patterns. 4. Sanitization: There is no validation or sanitization of tool outputs before they are processed and re-introduced into the context window.
Recommendations
- AI detected serious security threats
Audit Metadata