Zendesk
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill's setup and architectural instructions require the agent to store the user's Zendesk API token, email, and subdomain in a local plaintext file at
~/zendesk/memory.md. Storing sensitive secrets in a predictable, non-encrypted filesystem path is a high-risk practice that exposes credentials to any other local processes or users, potentially leading to unauthorized access to the entire support environment. - [COMMAND_EXECUTION]: The skill utilizes shell commands via
curlto interact with the Zendesk API. While the target domain is a well-known service, the use of shell-based operations with interpolated variables derived from local storage or environment variables introduces a risk of command injection if those inputs are not strictly validated or if they can be influenced by untrusted external data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of untrusted data from the Zendesk API. 1. Ingestion points: The agent fetches ticket subjects, descriptions, and comments as part of its core functionality. 2. Boundary markers: No explicit delimiters or safety instructions are defined to separate external data from agent instructions. 3. Capability inventory: The skill provides the agent with write access to the support system (creating and updating tickets) and the ability to export data to the local filesystem. 4. Sanitization: There is no evidence of sanitization or filtering of the fetched ticket content before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata