remote-troubleshoot
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill's instructions in SKILL.md suggest using
sshpass -p<password>, which exposes the remote server's password in plaintext within the system's process list, making it accessible to other users on the host machine.\n- [COMMAND_EXECUTION] (HIGH): The scriptsscripts/generate_helper.shandscripts/generate_fix.shinterpolate variables like$SERVICE,$PORT, and$CONFIGdirectly into shell templates without any sanitization. This allows for arbitrary command injection if these variables are populated with malicious payloads (e.g., using backticks or command separators).\n- [REMOTE_CODE_EXECUTION] (HIGH): The core workflow involves generating scripts locally and piping them to a remote shell via SSH (cat fix-script.sh | ssh user@host "bash -s"). This mechanism provides a direct path for executing dynamically generated, potentially unvetted code on remote infrastructure.\n- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it ingests untrusted data from the remote server.\n - Ingestion points:
journalctloutput, configuration file content (cat,head,tail), and log files.\n - Boundary markers: Very weak; uses simple
echoheaders which are easily bypassed by embedded instructions.\n - Capability inventory: Full shell access on remote servers,
systemctl, andkubectlmanagement.\n - Sanitization: No sanitization or validation is performed on the data retrieved from the remote server before it is presented to the agent for analysis.
Recommendations
- AI detected serious security threats
Audit Metadata