debug
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill is authorized to execute shell commands and write its own reproduction scripts and test files. In 'Delegated' mode, it can iterate through these actions without per-step approval, providing a wide surface for arbitrary command execution.
- [DATA_EXFILTRATION]: The tool patterns and triage playbooks explicitly direct the agent to inspect sensitive environment data, such as reading '.env' files and listing all environment variables via 'printenv'. This behavior constitutes high-risk data exposure.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it is instructed to ingest and process untrusted external signals such as 'COMPLETE error output' and 'symptom descriptions'. An attacker could use these inputs to manipulate the agent's diagnostic flow.
- Ingestion points: SKILL.md (Phase 1) and triage playbooks mandate reading and parsing all error messages and stack traces.
- Boundary markers: The instructions do not define delimiters or ignore-instructions for the untrusted content of error signals.
- Capability inventory: The skill has access to shell execution, file system modification, and browser automation.
- Sanitization: No validation or sanitization of external error strings is mentioned before processing.
- [EXTERNAL_DOWNLOADS]: The skill uses 'curl' and 'wget' to query runtime state, API endpoints, and service availability. While used for diagnostic purposes, these tools can facilitate the download of remote content into the local environment.
Audit Metadata