complex-join-helper
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONNO_CODEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill requests the 'Bash' tool via 'allowed-tools', which grants the agent the ability to execute arbitrary shell commands. Without defined script boundaries or specific logic, this grants excessive privilege over the host system.
- [NO_CODE] (LOW): No implementation logic or functional scripts are provided. The skill is purely instructional, which is suspicious when paired with requests for high-privilege tools, as it relies entirely on the agent's interpretation.
- [PROMPT_INJECTION] (MEDIUM): The YAML frontmatter contains repetitive trigger phrases ('complex join helper, complex join helper') which is a known prompt-stuffing technique used to bypass intent classifiers and force the activation of a skill.
- [Indirect Prompt Injection] (HIGH): The skill presents a significant vulnerability surface. 1. Ingestion points: User queries and data analytics inputs (SQL, CSV, or BI data) that may contain untrusted content. 2. Boundary markers: None; there are no instructions to separate untrusted data from the commands executed by the agent. 3. Capability inventory: The skill requests 'Bash', 'Write', and 'Edit' tools. 4. Sanitization: No validation or escaping mechanisms are mentioned. Malicious data could easily be used to manipulate the agent into executing unauthorized shell commands or modifying system files.
Recommendations
- AI detected serious security threats
Audit Metadata