KeePassXC Integration
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill creates a surface for indirect prompt injection by reading data from an external KeePassXC database (
.kdbx). - Ingestion points: Untrusted data enters the agent context via
keepassxc-cli showandget-keepass-secret.sh(File: SKILL.md). - Boundary markers: Absent; the skill does not specify delimiters or warnings to ignore instructions embedded within retrieved secrets.
- Capability inventory: The skill utilizes shell execution (
bash), subprocess calls (keepassxc-cli), and Python script execution (keepass_ops.py). - Sanitization: No evidence of escaping or validation of secret content before it is processed by the agent.
- Unverifiable Dependencies (LOW): The skill references several external scripts (
get-keepass-secret.sh,save-keepass-password-to-keyring.sh,keepass_ops.py) located in~/.cursor/scripts/that are not provided in the skill package itself, making their behavior unverifiable. - Persistence Mechanisms (LOW): The instructions recommend modifying
~/.profileand~/.bashrcto exportKEEPASS_DB_PATH, which is a standard method for environment persistence but falls under Category 6 detection. - Privilege Escalation (LOW): The troubleshooting section advises the use of
sudo apt installto install dependencies, which is a legitimate but high-privilege operation.
Audit Metadata