Scouting Code Patterns
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it is designed to ingest and process data from untrusted public web sources.
- Ingestion points: Public code examples retrieved via search as described in SKILL.md (Step 2).
- Boundary markers: Absent. There are no instructions to delimit or treat the external content as untrusted data.
- Capability inventory: The agent has the capability to write to the local filesystem (Step 4) and execute shell commands (Step 6).
- Sanitization: Absent. The skill instructions do not specify any validation or filtering of the code content before it is saved or used.
- COMMAND_EXECUTION (HIGH): The skill explicitly instructs the agent to execute a shell command:
npm run sync(SKILL.md, Step 6). - This allows the agent to trigger arbitrary scripts defined in the local environment, which could lead to remote code execution if the local configuration is compromised or if the scripts are influenced by the ingested 'scouted' code.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill performs network operations to fetch data from non-whitelisted 'public sources' (SKILL.md, Step 2).
- While intended for research, the lack of source verification or a whitelist of trusted domains increases the risk of downloading malicious payloads.
Recommendations
- AI detected serious security threats
Audit Metadata