exec-remote
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local bash scripts (
launch_gpu.shandlaunch_tpu.sh) and uses thesky(SkyPilot) CLI tool to manage clusters and execute jobs. Local shell commands are constructed by concatenating user-provided inputs such as accelerator types, script paths, and arguments. - [REMOTE_CODE_EXECUTION]: The primary function of the skill is to run arbitrary Python code on remote infrastructure. The
sky execcommand template inSKILL.mdallows the execution of any script path provided by the user on the provisioned remote cluster. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect injection because it ingests untrusted user data (accelerator types, script paths, arguments) and interpolates them directly into shell commands.
- Ingestion points: User-provided arguments for
accelerator_type,script-path, andargsin theexec-remotecommand. - Boundary markers: None. User input is placed directly into shell strings inside
SKILL.mdand the bash scripts. - Capability inventory: The skill has the ability to run local shell scripts, write to the file system (creating
.cluster_name_*files and temporary YAMLs), and execute arbitrary code on remote clusters viasky exec. - Sanitization: While the
NAMEparameter is sanitized using a regex in the bash scripts, theACCELERATORparameter and the script paths/args used insky execare not sanitized, leaving the system open to command breakout or manipulation. - [DYNAMIC_EXECUTION]: The scripts
launch_gpu.shandlaunch_tpu.shusesedto dynamically modify YAML configuration files (gpu_resource.sky.yamlandtpu_resource.sky.yaml) at runtime. The use ofsedwith the|delimiter and unsanitized variables (like$ACCELERATOR) allows an attacker to manipulate the resulting YAML file structure.
Audit Metadata