connect
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands using unvalidated user input for the connector name.
- Evidence: The process instructions specify executing
python3 scripts/connector-status.py --action setup-guide --name <connector>where<connector>is direct user input. - Risk: A malicious user could provide a string containing shell metacharacters (e.g.,
"; touch /tmp/pwned #") to execute arbitrary code on the underlying system. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted user input that influences command-line arguments.
- Ingestion points: User-provided "Connector name" via the agent prompt.
- Boundary markers: No delimiters or sanitization instructions are present to isolate the
<connector>variable within the shell command string. - Capability inventory: The skill has the capability to execute shell commands (
python3) and interact with the local filesystem (.mcp.json). - Sanitization: No sanitization or validation logic is defined to prevent command injection or path traversal via the name parameter.
- [CREDENTIALS_UNSAFE]: While not hardcoding secrets, the skill's primary purpose is to guide users in managing high-value credentials (API keys for Salesforce, Google Ads, etc.) and environment variables.
- Evidence: Instructions for
npxconnectors require users to provide and set environment variables for sensitive platforms.
Audit Metadata