legal-review
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Potential for shell command injection in Phase 1 (Resolve Scope). The execution protocol instructs the agent to interpret natural language arguments and execute them using shell command templates like
grep -l "$TERM"andgit diff. If a user provides an input containing shell metacharacters (e.g.,"; cat /etc/passwd #"), the agent might execute arbitrary commands depending on how it interpolates the interpreted 'intent' into the bash blocks. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection vulnerability surface in Phase 3.
- Ingestion points: The
/lawyeragent is explicitly instructed to "Read each file completely" for all files identified in the scope resolution phase. - Boundary markers: Absent. The files are passed to the lawyer agent prompt via a simple variable
$FILESwithout delimiters or instructions to ignore embedded commands. - Capability inventory: The system can execute shell commands (
git,grep,glob,git log) and the lawyer agent has the capability to load and execute additional skills. - Sanitization: No sanitization or escaping is performed on the file content before it is processed by the lawyer agent.
- [DATA_EXFILTRATION] (LOW): The skill performs broad repository-wide searches using
grepandgloband accesses git history. While no external network calls are present in the provided file, these capabilities allow for the discovery and aggregation of sensitive data within the local environment.
Recommendations
- AI detected serious security threats
Audit Metadata