Skills
skills/hotriluan/alkana-dashboard/scout/Gen Agent Trust Hub

scout

Fail

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the Bash subagent type to execute shell commands, including cat, sed, wc, and third-party CLI tools like gemini and opencode.
  • Evidence: Found in references/external-scouting.md and references/internal-scouting.md where the agent is instructed to run commands like gemini -y -m <model> "[prompt]" and sed -n '1,500p' large-file.ts.
  • Risk: The construction of these commands using variable placeholders (e.g., [prompt]) without explicit sanitization patterns creates a command injection surface if the prompt or file paths contain shell-special characters.
  • [DATA_EXFILTRATION]: The skill's primary function is to send contents of the local codebase to external AI services via the gemini and opencode CLI tools.
  • Evidence: references/external-scouting.md explicitly defines workflows to pass codebase search results and file contents to these external agents.
  • Risk: This involves transmitting potentially sensitive or proprietary code to third-party endpoints, which may not be governed by the same security policies as the local environment.
  • [EXTERNAL_DOWNLOADS]: The skill encourages the user to install external third-party CLI tools (gemini and opencode) if they are not already present on the system.
  • Evidence: references/external-scouting.md contains a section "Installation Check" that instructs the agent to ask the user to install these tools.
  • Risk: Encouraging the installation of non-standard or unverified binary tools can introduce supply chain risks if the installation source is not trusted.
  • [DATA_EXPOSURE]: The skill reads from local configuration files that may contain sensitive settings or API keys.
  • Evidence: SKILL.md and references/external-scouting.md reference reading configuration from .claude/.ck.json.
  • [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from the codebase and passes it to LLM-powered subagents.
  • Ingestion points: The skill reads files from the local filesystem (e.g., src/, lib/) using cat, sed, and CLI tools as described in references/external-scouting.md and references/internal-scouting.md.
  • Boundary markers: Absent. The instructions provided to the subagents do not include delimiters or specific instructions to ignore embedded commands within the files being scanned.
  • Capability inventory: The skill utilizes the Task tool with subagent_type: "Bash", granting the agent full shell access to the local environment.
  • Sanitization: Absent. There is no evidence of escaping, filtering, or validating the content read from the files before it is processed by the agents.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 29, 2026, 03:17 AM