filesystem-context
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The TerminalCapture class in references/implementation-patterns.md uses subprocess.run(command, shell=True), enabling arbitrary shell command execution. This is a severe risk if untrusted data is included in commands.
- [PROMPT_INJECTION]: Pattern 6 (Self-Modification) allows agents to update their own instruction files, creating a persistent indirect prompt injection surface. Ingestion points: Data read from scratch/ and agent/ files. Boundary markers: None used to isolate data from instructions. Capability inventory: File writing and unsafe shell execution. Sanitization: None; data is written and re-read without validation.
- [DATA_EXFILTRATION]: The skill encourages persisting terminal logs and tool outputs to files. These artifacts often contain sensitive data (e.g., environment variables) which increases the exposure surface for potential exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata