update-state
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/update-state.shdynamically assemblesjqfilter strings using direct shell variable interpolation (e.g.,$ISSUE_ID,$ISSUE_TITLE,$PHASE). This approach is highly vulnerable to injection because shell variables are expanded into thejqcommand string without sanitization or proper escaping (such as usingjq --arg). - [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8). It ingests untrusted data from the agent environment—including issue identifiers, titles, and error messages—which are then processed by the state management logic.
- Ingestion points: Arguments passed to
update-state.shfor commands likestart-issue,record-error, andskip-phase. - Boundary markers: None. The script directly concatenates inputs into command strings.
- Capability inventory: The skill has the capability to perform atomic writes to the
.claude/marathon-ralph.jsonstate file viajqandmv. - Sanitization: Absent. There is no validation or escaping of the input variables before they are used to build executable
jqfilters. - [PROMPT_INJECTION]: The injection vulnerability can be leveraged to manipulate the agent's 'Circuit Breaker' system. A crafted input containing
jqoperators (e.g.,"] | .failure_tracking.global.consecutive_failures = 0 | .[") could be used to reset failure counters, modify configuration limits, or delete tracking data, thereby allowing the agent to bypass safety constraints or enter infinite retry loops. - [PROMPT_INJECTION]: The
check-limitscommand manually constructs JSON output strings using shell variable interpolation. If the variables contain double quotes or other JSON special characters, the command will produce malformed JSON, leading to schema confusion and potential logic failures in the agent's decision-making process.
Audit Metadata