writing-commands
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill documents a "Shell Output" feature using backtick syntax (e.g., !
npm test) to inject command results into prompts. This capability allows for arbitrary command execution on the host system. While the documentation advises using read-only commands, it describes no technical controls to enforce this. - PROMPT_INJECTION (HIGH): The templating system uses placeholders like $1, $2, and $ARGUMENTS to interpolate untrusted user input directly into prompts. If these inputs are placed within shell command blocks, it creates a direct vector for command injection attacks.
- INDIRECT_PROMPT_INJECTION (HIGH): The skill defines a high-risk vulnerability surface where untrusted data (arguments) is processed by a component with shell-execution and file-reading capabilities. Evidence: 1. Ingestion: $ARGUMENTS and positional variables in templates; 2. Boundaries: None mentioned; 3. Capability: Shell execution (!) and file reading (@); 4. Sanitization: Absent (the tool relies on user caution).
- DATA_EXPOSURE (MEDIUM): The @path syntax allows the inclusion of arbitrary local file contents into the agent's context, which could lead to the exposure of sensitive information such as configuration files, environment variables, or private keys if the prompt is processed by an external model.
Recommendations
- AI detected serious security threats
Audit Metadata