course
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill accepts user-provided input through '$ARGUMENTS' (Topic, Scenario) and interpolates this data directly into generated file templates (index.qmd, slides.qmd). There are no sanitization procedures or boundary markers defined to prevent the user from injecting malicious instructions or code snippets.
- [COMMAND_EXECUTION] (HIGH): The skill explicitly instructs the agent to run 'quarto render'. Quarto executes code blocks (R or Python) within the documents during the rendering process. Because the content of these code blocks is derived from untrusted user input, an attacker can execute arbitrary commands on the runner's machine (e.g., by injecting code into the 'Topic' or 'Scenario' fields).
- [DATA_EXFILTRATION] (MEDIUM): Exploiting the code execution vulnerability allows an attacker to inject script commands that read sensitive local files (like .env or cloud credentials) and exfiltrate them via network requests, as the skill provides no network restrictions.
- [INDIRECT_PROMPT_INJECTION] (HIGH): Mandatory Evidence Chain: 1. Ingestion points: '$ARGUMENTS' variable in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: File creation, shell command execution via 'quarto render'. 4. Sanitization: Absent. The skill is designed to process external content and has high-privilege execution capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata