validate-output
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interpolates user-provided data directly into a shell command line:
scripts/output-validator.py --action validate --text "{content}" --schema {schema_name_or_path}. This is a critical vulnerability; an attacker can provide content containing shell metacharacters (e.g.,;,|,`) to execute arbitrary commands on the host system. Similarly, a malicious value forschema_name_or_pathcould be used to inject commands or read unauthorized files. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: Untrusted marketing content is ingested via the
{content}input variable inSKILL.md. - Boundary markers: Absent. The process description contains no instructions for the agent to use delimiters or ignore embedded instructions within the content being validated.
- Capability inventory: The skill has the capability to execute subprocesses (
scripts/output-validator.py) and read arbitrary configuration and SOP files from the local filesystem (~/.claude-marketing/). - Sanitization: Absent. There is no evidence of input validation, escaping, or filtering applied to the content before it is passed to the validation agent.
- [COMMAND_EXECUTION]: The skill reads configuration and profile data from the user's home directory (
~/.claude-marketing/brands/). While localized to the application's folder, accessing the home directory for configuration files without strict path validation or sandboxing increases the risk of local data exposure if combined with the command injection vulnerabilities identified above.
Recommendations
- AI detected serious security threats
Audit Metadata