capability-trainer
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in SKILL.md direct the agent to 'Actually run' code examples from official documentation and execute practice tasks. This behavior relies on the safety of third-party content and executes commands in the local environment.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted web data. 1. Ingestion points: Documentation is retrieved via web_search. 2. Boundary markers: No delimiters are used to separate untrusted data. 3. Capability inventory: The skill utilizes shell commands for file management and code execution. 4. Sanitization: No sanitization is performed on external content.
- [REMOTE_CODE_EXECUTION]: The workflow of retrieving code from the internet and executing it locally constitutes a remote code execution risk, as an attacker could poison public documentation to execute malicious payloads.
- [DATA_EXFILTRATION]: While no specific exfiltration logic is defined, the capability to execute code combined with web search access provides a mechanism for data theft.
Audit Metadata